PCI Compliance Observations From The Front Lines

Posted February 3, 2012, 10:00 am by Jorge Flores

Image of Jorge

Jorge Flores

My name is Jorge Flores, and I’m an Account Development Specialist at ANX.  I began my career at ANX several months ago after graduating from Western Michigan University.  Each day I speak with dozens of franchise business owners and management staff about the need for PCI Compliance.  It is extremely rewarding when I hang up with someone knowing that I bolstered their knowledge on the importance of achieving and maintaining PCI compliance. The sheer scale of misconceptions and unawareness regarding the importance of PCI compliance and the benefits it has on our data security is simply astounding.  

Receiving much publicity lately has been a data breach involving a well renowned sandwhich shop.  More than 150 franchisees were affected leading to the theft of over 80,000 credit card numbers. The result was over $3 million in fraudulent charges. The scheme was in place for over three years before being detected and involved very simple tactics that exploited common weaknesses within POS software. It is widely known that had the victimized franchisees been PCI compliant at the time of the attack, the chances of this happening would have been slim to none.

More information regarding the data breach can be found here.

As my experience grows here at ANX, I will be posting a blog series on my observations within the PCI compliance realm. These can be common misunderstandings, challenges, or even innovative strategies having to do with achieving and maintaining PCI compliance.

Observation 1: The widespread misconception that a POS system can ensure PCI compliance 

My first observation about PCI compliance involves point of sale (POS) systems.   The majority of people believe that their POS system makes them PCI compliant. This is one of the greatest, most common, misunderstandings that I need to dispel when speaking with business owners (remember this belief was the primary factor leading to the Subway breach).  There seems to be two reasons for this misunderstanding.  First, business owners are not security and compliance experts. The sheer scope of PCI compliance is far above the heads of many of these professionals who are focused on running the operations of their business. Second, most POS vendors advertise their systems as being PCI compliant. Subsequently, business owners make the logical leap that this software is enough to meet all PCI requirements for their business.  While it’s true that POS software must be PCI Compliant, this alone does not make the overall business entity PCI compliant. There are many other steps that need to be implemented on their end to ensure overall PCI compliance.

Remember: No single piece of software or hardware can ensure PCI compliance.

Stay tuned next Friday for Observation #2!

 
Edited December 29, 2014 by Jorge
Listed in Communities: Our Site


You must be logged in to post comments.