Video Transcription

Hey Everybody. Welcome to B2B Vault: The Payment Technology Podcast, providing educational information for business owners and merchants on various subjects. Having to do with credit card processing, merchant accounts, and payment technology. Today, we’re going to talk about PCI compliance, and what it’s all about because many, we get questions all the time from our clients and sales reps and people in the industry, and they say, what is PCI compliance? Why do we have to do it? So we’re going to get into PCI compliance today and talk all about PCI compliance. And we’re even going to talk about some cases where there were breaches and what happened with that? So what is PCI compliance? The payment card industry, data security standard. It’s an information security standard for organizations that handle branded credit cards from the major credit card schemes.

The PCI standard is mandated by the card brands but administered by the payment card industry standards, security council, the PCI security council. They have a website you can go and Google it, PCI security council, and upon their website. Find out more than you ever wanted to know about PCI compliance. I can tell you that. So who requires PCI compliance? The CA, all the card brands and the processors, and the banks that process credit cards mandate that merchants complete a yearly PCI self-assessment questionnaire. So, and then merchants. So if you’re doing non-card-present transactions, you’re required to run quarterly and or monthly scans depending on your volume. So if you have a point of sale system or e-commerce, you know, those systems all have to be scanned, and then you get a report back saying you passed or failed. If you failed. And some vulnerabilities are listed in the report. Then you have to take care of those. And you know, some of the things that merchants run into is they have one router and their business, and then they have cameras, their point of sale system computers, open wifi to the for the, for the guests and their business, the customers.

And then you can run into problems with PCI compliance when you have multiple systems linked up, and maybe you don’t have a full-time it guy, but there’s, you know, ways to get around that. Merchants should run these scans and not pay the non-compliance fees, taking 10 or 15 minutes. Or, if you have a point of sale system, it might take half an hour to run through the SAQ. You could get the company on the phone, somebody will walk you through the whole thing, but we’ll, we’re going to get into all that. Every company charges a fee for PCI compliance or includes it in its bundled pricing. So, you know, everybody has to do PCI compliance, and some companies charge non-compliance fees because you don’t complete the questionnaire. And I can tell you, like, if you have a simple credit card machine or simple POS system, that’s you using a semi-integrated solution, it’s straightforward. It takes 10 minutes to 30 minutes to fill out most of the time. And then, and then yearly, you log in and, you know, click. Yes, yes, everything’s the same. And you’re all done.

You call up support, and they can help you do it. So that way, you can save money on non-compliance fees, shouldn’t pay non-compliance fees. I don’t want to use the word lazy, but don’t be lazy and do the PCI compliance. So why is this important? And what happens when you get, if you have a PCI compliance breach, and then there’s a problem. So I will talk about merchants that I helped that had a problem. So the first one was a restaurant, and they got breached. Thirty thousand credit cards were stolen. The merchant was very cooperative, which was nice. The secret service showed up at the restaurant, and we had to get a vendor out there. Who’s called, who does a QSA. So they come in, and they bring like their little black box, and they suck all the data off the hard drive. Then they can look at the hard drive, and they can see, they could see right there and, and like 10 minutes on the guy’s laptop. Cause obviously, they know what they’re searching for.

They could see exactly when the breach happened. It showed that an employee uses the two computers in the office. One was hooked up to the POS just for office work. But somebody went on the P on the PC connected to the point of sale and access. Facebook, MySpace, a few other websites. They must have downloaded something or clicked on a link, and they got some malware or a key logger onto their system. And then that gave the person access. And that person sucked off over 30,000 credit cards. The merchant went through this whole investigation, and then there were three or four telephone calls with the credit card processor. We had another telephone call with the card brands. So they were on the telephone. It was discussed what kind of fine they were going to be. And the credit card processor had breached insurance.

So they stepped in and negotiated whatever they negotiated them with. The, so we don’t know what the fine was. The original fine was $150,000. I think it got reduced to way less than that because the merchant also cooperated at the same time. We found that there were five or six other restaurants in the same general area that all got breached. I was not involved in any of those cases, but we found out that something went on in the same general vicinity from the secret service. So those businesses were targeted. And you know, the merchant from there, from on their end that is replaced like three-point of sale terminals in the restaurant that were old, that we’re using, you know, non-PCI compliance software that replaced the server. So that was on them. And then the breach insurance covered the rest of the, there the rest of the whole thing.

We had a go through with the, you know, we had to get them their system rescanned, and it passed, then the process, or let them stay processing. So restaurant number two had over $50,000 of damage done with the credit cards that were stolen. So the person who stole the credit cards made over $50,000 in purchases using the stolen credit cards, the merchant had replaced the whole POS system. They almost went out of business but could get a loan to cover because they still had money on the old POS. It was a huge problem. I got involved. I got that mad to QSA. They gave all the equipment from the old POS to the secret service who investigated. We don’t know if anybody got caught cause they never tell, they never tell us, oh really? Yeah. The secret service dealt with them a few times, and they never tell you whether they caught somebody or what happened. You know, cause you know, they, they come up with this thing, and they call it a common point of purchase.

So that’s how they find out where did these breaches originate? Because what happened is somebody goes and does the, but they find a bunch of stolen credit cards, track a bunch of chargebacks, right? So then they find a bunch of chargebacks, and then they trace back what all those credit cards have in common? Do you know? So, did they make any purchases in the same place? And that’s how they trace it back to where the breach was. And then they’re confirmed that the breach was there. That’s when they have the QSA come in, and the QSA comes in, and they suck. They have this special black box; they hook it up to the, hook it up to the server, suck all the data off. And then, while the guy’s sitting there, he hooks it up to his laptop, and he can find the bridge, which I thought was crazy.

I mean, the guy must be like, you know, these guys were the guys that I saw doing this stuff or just incredible computer guys. They knew what they were looking for. And so that was a common point of purchase. So that’s a big thing that the restaurant had a huge, fine, negotiated down. The merchant had to pay the fine. And it turned out that the breach was caused by clicking on a malicious email at somebody who downloaded something onto the computer. So, you know, I always tell people like you want to have a safe restaurant. You know you want to have a safe business. You have your point of sale on one router, your office computers on a second router, and your public wifi on some other piece of equipment. You know, everything fired walled off from each other. So you don’t have a problem. One of the biggest breaches was TJ Maxx.

Most of the big ones that you read about they’re all inside jobs, where somebody that worked at the business knew the vulnerability gets in there and causes attic and downloads a bunch of credit cards. And then what do they do with them? Upload them to the dark web, the dark web, and then they sell all the credit cards. So restaurant three, this one was a little bit crazy. They had a breach, and there was a common purchase point involving more than one restaurant. It was a group of restaurants that a common point of purchase the card brand want to do them, there was requested by the, by the PCI and visa to get a copy, to get the server mirrored. By the time the guy showed up there, the POS company, I’ll leave nameless. They must’ve known that there was a vulnerability. They were in there before we got there. And cause when we got there, there was a brand new server. So because it was a brand new server, they wouldn’t give access.

The merchant we couldn’t approve, they couldn’t do anything to the merchant. The evidence disappeared. The merchant was on the breach list, though. Compromise lists of, they tried to get another merchant account, and they said, oh, did you ever have a breach or a compromise? They would have to answer. Yes. If they said no, and the company searched, they would show up on the list that something was going on there. But they did pass the PCI compliance, but nobody ever got the information about what happened, and they couldn’t get fine. Cause they basically, the evidence was disappeared. We had another one where it was a nightclub that a breach, the processor was holding a couple of million dollars of their funds until there was an investigation. They happened to contact us. We assisted them in getting an investigation done and the place and had the point of sale inspected and did all that. So, you know, investing, oh, you skipped the slide, you know, in the investigation, you know, you might have to deal with the secret service.

You’re going to have to deal with calls from the card brands, and the settlement bank calls with the credit card processor, QSA, PCI assessment firms, okay. Those cost 15 to 20 grand for them to come out. And if they want your system recertified, you got to get another one, a different company, to come out and get them to recertify your system. Another spending another 15, 20 grand, and I would say 99% of the time, and there’s no insurance for all this. And then if you have to replace hardware, software, et cetera, that’s all on the merchant. So it would be best if you did your PCI compliance. The last episode we did was about cybersecurity and, you know, with PCI compliance, you know, fewer businesses are getting these attacks because of EMV. Also, the semi-integrated pin pads cut down from what’s traveling across the networks and everything, but not every system is set up that way with semi-integrated. Then, many of them have many bigger systems out there that don’t run on integrated payments. So that means payments are flowing through the whole system and not just flowing off the card readers. So, you know, you have to, you have to make sure that you do your PCI compliance, you run your scans that way, you know, that your environment, you know, is safe because you’re PCI compliant until somebody breaks in and un-PC eyes you more or less, but it’s a big headache to deal with. You know, we do consult. So we’ve gotten phone calls from people.

They go, oh, I think I got you to know, I had customers call me on the phone and say their credit card number was stolen. And they used it at my restaurant. Then I tell them, I said, the best thing to do. You know you have a PCI company; go in, run a scan and see what happens when you run the scan. If you pass the scan, then nothing’s going on in your, in your place. Y[ou want to hire a QSA, you know, getting ready to open your checkbook because those guys are coming in, and they’re going to mirror your system. If they find anything, they will contact the secret service. Yeah. So that’s, you don’t want to do that was like the first time I’ll never forget. Like I remember as a kid meeting secret service agents when they had the, at one of the Republican or the democratic national convention on Miami Beach when I was a little boy, and my dad had a store. There were many secret service people all around the area because of the convention. So I remember meeting people that worked at the secret service. I thought I was pretty cool, you know, and there was FBI around, but you know, it’s not fun when the secret service shows up.

They’re at the restaurant and the restaurant owners freaking out because they’re the ones that secret service and the FBI, the ones looking into these cybersecurity episodes and these breaches, and there are all kinds of breaches that go on. People will breach a system and go in and steal personal information, you know, from hospitals, from different places to have a ransomware attack, you know, things like that. But you know, wherever there are credit cards being processed. You know, people will try to break into the systems, and then they’ll sell it on the dark web. And then they’ll try to break into anybody’s system that they can and run. That’s another thing, you know, I tell people like, if you have a website, you need to make sure your website is PCI compliant and you can, you don’t have any open vulnerability. We had a client, and I’ll talk about this one that nothing happened to them, but somebody had an open vulnerability on the website. You could donate one penny. So what happened was somebody saw that they wrote a robot program, and they attempted to upload a whole file of credit cards.

So the client caught it as it was a couple hundred of them going through, they saw it on their system, and they shut it, pulled the plug on the website. They shut it down. So only a couple of hundred credit cards went through, but we had another client where over 50,000 credit cards with her, and they’re like, oh, are we going to get charged for that? Yeah, you’re going to get charged the gate. The gateway company charges 10 cents a transaction times 50,000, and the credit card company will charge you 10 cents a transaction times, 50,000 for all the transaction fees. So that is a huge, huge bill. They didn’t have monitoring set up on their system to monitor, to see like somebody, they. Someone did a bust out on their website. And so I told them, I said, why would you do that? Where you could run one penny or zero transactions on your website. You’ve got to change that to like a minimum of five bucks that somebody’s not going to do it because they’re going to get caught.

So, you have to set up monitoring on your website, like security for like velocity, have any transactions can be processed and, and, and, like an app. And like, whatever the time limit is, let’s say 10 minutes, you want to, you don’t want somebody to go and start uploading in the middle of the night. Cause that’s what happens while we’re asleep, they’re awake over in Russia or China. And then that’s when they’re attacking people’s websites and stuff. So it’s important to make sure you have website security and run your PCI compliance. And even now, I think that some web host companies have special e-commerce servers. E-commerce servers have extra security on there, but you have to make sure that you have your security set up on the gateway. Your velocity settings are all set up so that you don’t have problems like getting open for an attack and making sure, like your gateway, you have all your passwords and all that kind of stuff set up. Same thing as on your computers and everything in your business. If you have a point of sale system, you must ensure you have strong passwords. So people can’t log in and attack your system.

So that’s today’s story about PCI compliance from the B2B Vault. You can catch us on YouTube, and all the popular podcast networks, Spotify, Apple, Stitcher, iHeartRadio, Amazon music, follow us on social media, Facebook, Twitter, and you can visit B2Bvault.info. If you want to get some more info about the podcast, you can visit our website npsbank.com, and you can get some more information about what we do over here at Nationwide Payment Systems. Thank you for listening to B2B Vault. Carpe diem, everybody, have a great day.