We recommend all of our members to outsource accepting credit card payments to companies like Touch Net, Verisign, Pay Pal, etc. because it is so cost prohibitive to comply with the PCIDSS. Also, if there is a breech they are the ones who become liable.
A few other things:
The hackers could have broke into a transmission line from the source to the cc processor, at the cc processor's system, or the transmission from the processor to the banks.
A company does not have to store any of the card numbers for them to be stolen from a system. They only have to pass through the system. Outsourcing will prevent the numbers from going through a company's information system, the company will never even see the numbers.
If the credit card is physically swiped on the card reader, and the card reader is connected directly to the bank (you will hear the computer tones), there is much less risk of theft than taking a card number over the phone.
The database/ credit card application must encrypt the data and access to the application must be restricted to authorized users who have passwords. to be PCIDSS compliant. Any transmission of credit card information must be encrypted, too.
This is some serious stuff and someone better sit up and pay attention rather than brushing off the PCIDSS and the advice from information security specialists. Just because someone can set up a web site and knows information technology doesn't mean they understand security.
A few other things:
The hackers could have broke into a transmission line from the source to the cc processor, at the cc processor's system, or the transmission from the processor to the banks.
A company does not have to store any of the card numbers for them to be stolen from a system. They only have to pass through the system. Outsourcing will prevent the numbers from going through a company's information system, the company will never even see the numbers.
If the credit card is physically swiped on the card reader, and the card reader is connected directly to the bank (you will hear the computer tones), there is much less risk of theft than taking a card number over the phone.
The database/ credit card application must encrypt the data and access to the application must be restricted to authorized users who have passwords. to be PCIDSS compliant. Any transmission of credit card information must be encrypted, too.
This is some serious stuff and someone better sit up and pay attention rather than brushing off the PCIDSS and the advice from information security specialists. Just because someone can set up a web site and knows information technology doesn't mean they understand security.
)
Comment