I read an article in Bank info Security about a breach into a restaurant in Texas located on Interstate 45 between Houston and Dallas. Someone seems to have gotten into the restaurants point of sale systems through a 3rd party vendor.
It is interesting that everyone is a potential target these days, and small business like restaurants do not have the skilled man power needed to properly defend their computer systems.
The article also had some quotes from Jerry Silva, a consultant in the financial services industry: “In the end, compliance with the Payment Card Industry Data Security Standard is the best way to prevent cardholder compromises. The problem, however, is that many merchants and processors remain out of compliance… Sometimes, if you are a merchant acquirer and are showing a good faith effort to get PCI compliant, a lot of times the auditors will let it go. If they are making good progress, then the auditors sometimes will be lenient. Compliance does not always mean compliant.”
It’s hard to create security through regulations, and PCI-DSS is a good attempt. Unlike most compliance regulations, PCI-DSS provides reasonably detailed technical requirements and not general concepts about analyzing risks and mitigating them. It even requires database auditing explicitly, which I consider crucial.
Another quote from Silva later in the article is “It’s almost like we need a different model, like federated security… The process we have in place is not working. And I don’t think EMV [Europay, MasterCard, Visa standard] will solve it. I think EMV does solve some of the issues, but not all.”
I have to say that I agree. The problem in these cases is no longer knowing what to do, but actually doing it. Yes, databases should be audited. There is plenty of evidence to support this. But are YOU auditing your databases? Will your auditor let you slide because you’re making an effort? While I’m all for helping out the little guy, I’m not sure I would be a happy customer if the restaurant I ate in last was breached.
Requiring a restaurant to be PCI-DSS compliant is ridiculous and will never happen. Not requiring a restaurant to be compliant or cutting corners will compromise credit cards and make the unfortunate customers very unhappy. Something has to change, the questions is what. This might be a good place to end this post, but I don’t like questions without answers.
My opinion is that if you choose to store credit card information in your computer systems you have to be PCI-DSS compliant all the way, and hopefully more. Anything less is clearly a problem. But I think that the current method of credit card processing puts unreasonable burden on the small businesses that use them. Instead of storing card information in various devices along the way to the processors, credit card terminals should immediately encrypt and transport the information offsite. Small businesses have no business storing credit cards in their systems. If they choose to do that, they have to be PCI-DSS compliant.
Another way of putting this is that all POS systems should be PCI-DSS compliant. Forcing vendors of credit card terminals and various POS software to go through rigorous audits will promote an “encrypt and send” methodology. Pushing this functionality into the card readers and avoiding local storage will significantly improve security on the small business end.