Way back in 1984, or thereabouts, when I got my very first computer (an Apple IIc is you must know), the last thing I ever thought I would have to be is a security expert. I thought it was enough that I mastered SuperCalc (and later, SC2, ’cause that’s how I roll) and make my name scroll diagonally on the screen x times.
Or, in 1989 when I was programming restaurant databases on old CP/M machines or running chain (Remanco users unite!) did I ever think I would have to be a security expert.
What about in late 1994 when I got my very first ‘real’ computer? First website in ’95, rockin’ the AOL account on a screamin’ fast 14.4 modem. Did I think I would have to be a security expert then? Nope.
Working help desk from 1997 – 1998?
Restaurant Point of Sales installation and training from 1999 to now?
Playing psuedo network/sys admin from ’00 – 02?
Nope, nope and nope.
But here we are. 2007. The internets aren’t safe any more. I’m stuck in a Windows world with Windows devs that make me use IE on office computers manned by women who could honestly give a crap about what kind of nastiness gets on their machines. Oh, but there is so much more!
My newest headache? PCI DSS.
The PCI Security Standards Council is an open global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection.
The PCI Security Standards Councilâ€™s mission is to enhance payment account data security by fostering broad adoption of the PCI Security Standards. The organization was founded by American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa International.
So, not just any security, but credit card security. I would have never guessed.
As it turns out, people like to pay for car washes with those little plastic cards. About 30K a month company wide. That’s a lots of swipes! And I’ve been tasked with keeping those numbers safe. Piece of cake. Lucky for me there is a 74 page doc of the requirements, a 14 page self questionairre and 25 page doc on the certification process (that luckily, I don’t have to deal with).
So my days for the last 2 months have been clogged with implementing advanced security procedures with users that are far less than advanced. The idea of a unique name and complex password (changed every 90 days please) to my users makes them give me the Lassie look, followed by smoke from their ears.
Expensive? Not as bad as you would think. New Sonicwall internet devices are on my desk waiting to be configured and installed. It’s also getting me an upgrade on my Corporate copy of Norton Antivirus with kick ass pricing from AT&T (I know!). Oh, and a VPN in another week or so. All good.
But, this week as I was continuing on through the 75 page document to the sections I haven’t completed, I come across the dreaded section 9. Physical security. It says, in not so many words, that any device where credit cards are stored must be secure. By secure I mean
- Access limited. Besides a locked door, some type of badge access system in place
- Monitored with a video camera
- All access logged. Logs kept online for 3 months, retained for a year
“Hey, that’s awesome db! Nice to see someone doing something to protect my data!”
Yea, hey, no problem. But, here’s the thing. I don’t have 1 location where card holder data is stored.
I have 8.
For all it’s badness, the internet does some pretty neat things. One of those neat things is make is possible for retailers to swipe your credit card and get an approval back with voucher printed in less than 10 seconds. Actually, it’s closer to 7 (yes, I have timed it). It’s about a 4K packet being sent from the retailer to the processor and then returned with a yay or nay vote. The old way, with modem, used to take as long as 20 seconds. The bulk of that time was the hand shaking that had to happen between the retailer and the processor, because even at 33.6 speeds, 4K up and back is still a pretty speedy trip ya know?
Anyway, it’s because we process credit cards over the internet this way (instead of using a modem) that I have to do all of the extra work.
Section 9 could seriously mess all that up tho. I’m all about keeping stuff as secure as possible, but honestly, it’s not cost effective to do it the way I’m required. Also, for the low volume that I have to manage, I really think it’s overkill. Besides overkill, it’s cost prohibitive for our small company. Having to do any of the items in section 9 would actually ’cause me to have to revert back to dial-up for credit card processing. No body likes that. Customers don’t because transactions take longer. Processors don’t like it because they have to keep the modems revved up, plus the 800 number to dial into. It’s bad bad all the way around.
So, I have calls out to everyone I know that is doing this right now to see how much I’m really going to have to do. I’m hoping they come back with the information I want to hear.