By Jim Brinton, CEO, Avanti Markets
During my research for this post, I kept finding the phrase “the ugly truth” used in conjunction with data breaches and PCI compliance. I found it so often, in fact, that it was one of my working titles for the blog.
After going through our data incident last summer, I can attest to the fact that the remediation process is ugly, painful, and a drain on resources. I thought I knew what PCI compliance entailed and how to protect our operators and consumers. The reality was, as prepared as we were, some criminal mind out there was working to penetrate all of our blockades and firewalls to get to the payment card data. And we weren’t the only ones. In 2017 alone, it was reported there were 1,579 data breaches, a 44.7% increase over the record set during 2016, which itself experienced a 40% increase over the previous year. And those numbers don’t include the number of breaches that haven’t been discovered yet.
What Happened
Last year in an effort to lead the industry in payment security, Avanti Markets had mandated that all of our network of kiosks be upgraded to a state-of-the-art, encrypted payments device that tokenized every transaction that included cardholder data. We believed so much in this direction that we committed over $1 million dollars of our own money to to ease some of the financial costs of this effort to our Operator network. This device is validated to meet all the data security standards dictated by the Payments Security Standards Council. We were more than 50% installed when a hacker came through a back door and infected several of our kiosks with a new version of malware that had never been reported before.
The Recovery Process
During the last several months, Avanti Markets has gone through painstaking efforts to requalify for PCI compliance at the elevated status of a Level 1 Merchant of Record. PCI compliance has 12 main categorical requirements, which contain almost 300 total requirements in the PCI standard. Prior to beginning the recertification process, we engaged an independent cyber risk consultancy to assess, validate, and advise on changes to our current environment. This comprehensive engagement investigated our total environment, including our physical property, the training of our people, our information technology systems, and our applications. They provided several positive recommendations to prepare us for the certification process.
It’s interesting to note that point-of-sale (POS) software falls primarily under requirement 6 of the PCI standards, which is “Develop and Maintain Secure Systems and Applications.” The other 11 requirements hardly mention software.
A few specific examples of the PCI requirements include:
- Deploy and maintain a firewall between the credit card environment and public networks.
- Test your systems quarterly for vulnerabilities both externally and internally.
- Manage the access your employees have to sensitive data.
- Train your employees upon hire and once a year thereafter about how to handle credit cards safely.
The Truth About “PCI Compliance”
Having secure software is important but insufficient when it comes to PCI compliance. If you process your credit cards through your POS software, it’s not enough. Businesses that fall under this model must understand that software alone—even if it meets the PCI requirements as dictated by PA-DSS (Payment Application Data Security Standard)—does not make your environment PCI compliant. Claiming to be “PCI compliant” solely on the basis of software applications is false advertising.
The following table illustrates the differences between PCI-DSS certification and PA-DSS validation.
MILESTONES TO MEET DSS v.3.2 STANDARDS |
PCI-DSS |
PA-DSS |
|
1 |
Secure payment card applications. |
||
2 |
Remove sensitive authentication data and limit data retention. |
|
|
3 |
Protect systems and networks and be prepared to respond to a system breach. |
|
|
4 |
Monitor and control access to your systems. |
|
|
5 |
Protect stored cardholder data. |
|
|
6 |
Finalize remaining compliance efforts, and ensure all controls are in place. |
|
Moving Forward
After hundreds of man-hours and countless tests and remediation and retests, Avanti Markets is proud to announce that we have completed the rigorous process and expect to receive our Report of Compliance (ROC) The ROC is the mandatory report from an independent qualified security assessor that has audited Avanti Markets and its organization against almost 300 items listed in the PCI standards. As part of the ROC process, we will receive our Attestation of Compliance (AOC) that Avanti Markets, from its staff through all its systems and processes, meets all the standards and is truly PCI-DSS certified.
With our back doors closed and locked, our continuous and regulated testing of our systems and personnel, and the heightened awareness of how a company can be violated (from our own experience), we are PRIMED and READY to continue the innovative, operator-focused development that has made us the premier micro market provider for the independent operator.
We remain evermore dedicated to our operators and their consumers and will continue to employ every tool to keep all levels of the organization safe, secure, and protected.
# # #
About Jim Brinton, CEO, Avanti Markets, Inc.
Jim’s impressive career and background include overseeing Avanti Markets Inc., Avanti Markets Northwest, and Evergreen Vending. He also remains active through a genuine dedication to the industry and community as evidenced by serving as Northwest Automatic Merchandising Association’s past President, receiving the prestigious “Industry Person of the Year” award from the National Automatic Merchandising Association and serving multiple years as NAMA’s Chairman. He serves in numerous other Board of Directors positions, speaks at advocacy and education events, and more.
About Avanti Markets
More than just a micro market solutions provider, Avanti Markets delivers impactful experiences for micro market operators and customers through innovation, technology and excellent products and services. The business that started with just one soda machine in 1976 is now the trusted leader in the unattended retail market experience, with more than 7,000 micro market kiosks throughout the U.S.