Eight Question Survey
1. What is the purpose of the Eight Question Survey?
2. Why are the questions in this survey important to ask the prospect?
3. Once the survey has been taken, how do you ascertain whether the business must comply with security regulations?
4. If the business only answers yes to question number seven (Accept credit cards as a form of payment) what should you do?
Security and Privacy Scorecard
1. What is the purpose of the Security and Privacy Scorecard?
2. What is the difference between the Eight Question Survey and the Security and Privacy Scorecard?
3. What are the two major areas covered in the scorecard?
4. What do you do with a business that is low or medium risk?
Monday, March 29, 2010
Wednesday, March 24, 2010
ABC's Of Red Flags Rule
On June 1, 2010 The Red Flag Rule goes into effect. If you are a small business owner and this is the first you’ve heard of it, you are not alone. Most small business owners either have no idea that there are compliance issues they need to be aware of, or they have taken to hiding their heads in the sand believing it has nothing to do with them because they are too small, or their CPA/lawyer/exorcist would have told them something about it if it was true, or the dog ate their homework…whatever.
But this new law will affect most businesses regardless of size.
These businesses (especially small and mid sized) are targeted for their sensitive customer and employee information like names, SS#, drivers license numbers, medical info, bank info, 401k plans etc. All the goodies that identity thieves sell in their now thriving criminal enterprises. Last year’s identity theft losses to businesses and financial institutions totaled $47.6 billion, and consumer victims reported $5 billion in out-of-pocket expenses.
So What Is The Red Flags Rule?
In a nutshell, it applies to any entity that extends credit by granting loans or arranging for loans, like car dealerships, finance companies, mortgage brokers, real estate agents, and any other retailer that offers financing or provides help to consumers in getting financing by processing credit applications. This includes utility companies, health care providers and telecommunication companies. The Rule requires a written Identity Theft Prevention Program designed to detect the warning signs – or “red flags” – of identity theft in day-to-day operations, take steps to prevent the crime, and mitigate the damage it inflicts.
The Rule also applies to businesses that defer payments, offer installment plans or provide goods and/or services and bills/invoices a customer/client/patient later, or a business that issues a store credit card is a creditor under the Rule.
However, simply accepting credit cards as a form of payment does not make a business a creditor under the Rule. The Payment Card Industry (PCI) regulates itself in regards to credit card fraud and has regulations for merchants completely separate from the FTC Red Flags Rule.
The “Red Flags” Rule is a regulation issued by the Federal Trade Commission (FTC) under the Fair and Accurate Credit Transactions Act (FACTA), a federal law passed in 2003 to strengthen protection against identity theft. The FTC published the Rule October 31, 2007 and it became effective January 1, 2008, but its implementation date (after which companies would be responsible for complying) has been repeatedly delayed, from November 1, 2008 to May 1, 2009, to August 1, 2009 and to November 1, 2009 and finally to June 1, 2010, when enforcement will commence.
At this point, one cannot assume that the FTC will further delay implementation, meaning that businesses and organizations need to begin working on compliance now if they have not already done so.
The Red Flags Rule Mandates Include:
1. Administrative Safeguards: Appointing an administrator to put a written plan together showing how a business will detect and act upon “Red Flags” (suspicious documents, changes of address, warnings from credit agencies, or notices from victims or law enforcement) with reasonable responses when any “red flags” are detected. This includes monitoring or closing accounts, not opening an account or notifying potential victims of a problem.
The administrator is also responsible for implementing an ongoing training program for employees on how to recognize and act upon these “red flags.” These trainings must be documented by the administrator and signed by the employees when they finish to show they participated in the training and understand the rule.
2. Physical Safeguards: Securing physical business surroundings to safeguard as well as properly dispose of information stored on hard copy files (or disks) as well as insuring that a company laptop doesn’t go “missing.” You would be amazed at how much information is stolen or lost due to a business owner or employee leaving information out in the open, such as medical files, loan applications or a business laptop.
3. Technical Safeguards: Finally, there are technical safeguards that need to be implemented to lock down data on computers and keep them invisible to hackers, using professional-grade security antivirus and antispyware and a bi-directional firewall for every computer in your business. Other safeguards include file encryption for both stored and transmitted files and records, regular vulnerability assessments to identify any security holes in your computer network and permanent deletion of individual electronic records, files, and hard drive information prior to disposing of a computer or hard drive.
4. Living Law: There is no one-time implementation and now “you’re set” with regards to Red Flags Rule compliance. Sorry, the rule is a living law and subject to change as the trends in identity theft change. Every program must be evaluated and updated regularly and ignorance of the changes as they occur will not be seen as a valid excuse for not being in compliance.
How Will The Rule Be Enforced?
The FTC does not conduct routine compliance audits. But the FTC can conduct investigations to determine if a business within its jurisdiction has taken appropriate steps to develop and implement a written Program, as required by the Rule.
The FTC may ask the target of the investigation to produce copies of its Program and other materials related to compliance. The FTC also may interview officers, employees, or others who are familiar with the company’s practices. If the FTC has reason to believe the Rule has been violated, it can bring an enforcement action.
There is no private consumer right of action, only certain federal and state government agencies can enforce the Rule. However businesses should know that consumers may be encouraged to file complaints with the FTC about a company’s identity theft Program or lack of and that the FTC uses these complaints (filed at https://www.ftccomplaintassistant.gov/) to target its law enforcement efforts.
The Fines And Other Spankings For Non Compliance:
These trying economic times are difficult enough for a business owner to deal with just going about the business of doing business. But having to now deal with the epidemic of business data breaches that put each and every business and their customers and employees in peril of identity theft has added yet another burden upon their precious time and resources, but non compliance can be far more costly than you think.
Federal: The penalty per single identity lost or stolen is $3,500.
State: Up to $1,000. Per individual violation (plus attorney fees).
Warned: If a business is warned by a regulatory agency of non-compliance then found to remain in non-compliance during a follow up, the fine jumps to $11,000. Per individual incident.
Law Suits: There are also allowances for individuals who’ve been victimized to seek damages from the businesses.
Any one of these can cripple or even kill a business, all of them together and you may as well say adios to all your hard work and sacrifices…bye bye business!
Examples Of Entities That Must Comply:
Health Care Practices – Because most bill later or defer payment through insurance.
Retail Stores – The only exception is if a store deals exclusively in credit cards and/or cash.
Services/Utilities – Phone companies, cell phones, power companies etc.
Auto Dealerships – This includes motor cycles, boats, RVs, etc.
Financial institutions – Banks, credit unions, credit card companies and mortgage brokers.
Non-Profits - entities that defer payment for goods or services.
Schools – Any school, college or university who provides or accepts financial aid.
A Few Helpful Definitions:
Red Flags Rule: The Red Flags Rule is a law that will be enforced on June 1, 2010 that requires many businesses and organizations to implement a written Identity Theft Prevention Program designed to detect the warning signs or “red flags” of identity theft in their day-to-day operations.
FTC: The Federal Trade Commission (FTC) was established as an independent administrative agency pursuant to the Federal Trade Commission Act of 1914. The purpose of the FTC is to enforce the provisions of the Federal Trade Commission Act, which prohibits “unfair or deceptive acts or practices in commerce,” and serves an important function as a protector of both consumer and business rights.
FACTA: The Fair and Accurate Credit Transactions Act of 2003.This law applies to businesses and individuals who maintain, or otherwise possess, consumer information for a business purpose and requires businesses to develop and implement a written privacy and security program.
Financial Institution: A State or national bank, a State or federal savings and loan association, a mutual savings bank, a State or federal credit union, or any entity that holds a “transaction account” belonging to a consumer. A transaction account is a deposit or other account from which the owner makes payments or transfers. Transaction accounts include checking accounts, negotiable order of withdrawal accounts, savings deposits subject to automatic transfers, and share draft accounts.
Creditor: An entity that regularly extends, renews, or continues credit or regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit. Non-profit and government entities that defer payment for goods or services are also considered creditors.
Covered Account: An account used mostly for personal, family, or household purposes, and involves multiple payments or transactions. These accounts include credit cards, mortgage loans, automobile loans, margin accounts, cell phone, utility, checking and savings accounts.
For more information go to: www.ftc.gov/redflagsrule
Monday, March 22, 2010
PCI Compliance Quiz
2. Who does it apply to?
3. Is PCI compliance a law?
4. Who regulates PCI compliance?
5. Is PCI compliance applicable to home-based businesses?
6. When do merchants have to become PCI compliant?
7. How does a merchant become PCI compliant?
8. Does Invisus certify PCI compliance?
9. How can Invisus help make a merchants certified PCI compliant?
10. What if a merchant tells you he is PCI compliant, what then?
Copy and past quiz into a word doc. and send your quiz answers to: safepcsolutions@gmail.com
Tuesday, March 16, 2010
Red Flags Rule Quiz
1. Who does the “Red Flag Rules” apply to?
2. When are the “Red Flag Rules” slated to take effect?
3. When were the “Red Flag Rules” originally slated to take effect?
4. What is a “Red Flag?”
5. What is a covered account?
6. Why is there a need for the “Red Flag Rules?”
7. What government agency regulates the “Red Flag Rules?”
8. Is the “Red Flag Rules” a law?
9. What are the penalties for a business that does not comply with the “Red Flag Rules?”
10. What size must a business be to fall under the “Red Flag Rules?”
11. What percent of small and mid-sized businesses that were hit with easy to perform cybercrime?
12. Explain how the “Red Flag Rules” will be enforced.
Copy and past quiz into a word doc. and send your quiz answers to: safepcsolutions@gmail.com
Wednesday, March 10, 2010
Red Flags Rule: Oh Nurse, A Little Help Here...
May I Have Your Attention Please?
Ahem, down here guys...OK, here we go.
Identity theft is a monolithic problem in the world today. Anyone from the savviest of business CEO’s to youngest babes in our society are at risk; this includes any entity such as a government or non profit agency. Not even the deceased are safe (so to speak) from this crime.
In fact ID theft it is the fastest growing white collar crime in America, and why not, most of the bad guys never get caught and nearly all consumers continue to go about their daily lives as unwary as sheep to a sheering only to find out to late that they have been misled to a financial slaughterhouse in the aftermath of having their Identity stolen.
More than ten million victims fall prey to identity theft in the United States each year and the number of victims who report this crime continues to explode every year. The reported lost or stolen personal data since 2005 is now more than 346,512,902 and this is estimated to be only 20% of what the actual numbers truly are.
What this really breaks down to is more than half of all U.S. citizens (including small children) have had their personal information stolen. And the FTC says that Every Credit Card ever issued (including Bankcards) has been compromised…Yikes, each and every one!
Is it no wonder then that the Payment Card Industry (PCI) has decided it has had enough of covering the financial losses for credit fraud (in the billions) or that the Federal Trade Commission has decided to finally step in and take action in order help stop the devastating effects of this crime by putting the liability for these breaches onto businesses through the Red Flags Rule?
Now keep in mind that credit fraud is only 33% of the problem. The other 67% is due to other nefarious practices not the least of which are data breaches from within a company i.e. a disgruntled employee or negligent security practices or (heaven forbid) no security at all, or outside breaches from cybercriminals known as black hat hackers who take advantage of the low hanging fruit due to poor security . This brings us back to the new federal laws and regulations known as the Red Flags Rule.
To whom do these laws and regulations apply?
The Red Flags Rule is an anti-fraud regulation, requiring “creditors” and “financial institutions” with covered accounts to implement programs to identify, detect, and respond to the warning signs, or “red flags,” that could indicate identity theft.
The General Rule of thumb is that if a business or entity collects, uses, transmits or stores any identifiable information about customers and or employees such as name, address, phone number, SS#, driver’s license, birth dates, medical information, Tax ID# etc. and then “credits” them for the payments they are subject to the Red Flags Rule.
The FTC uses the term “creditor” broadly so even if a business may not view itself as a “creditor” in the traditional sense of say a bank or mortgage company, the red flags rule does define “creditor” to include any entity that regularly defers payment for goods or services or arranges for the extension of credit.
However, simply accepting credit cards as a form of payment does not make a business a creditor under the Rule, credit cards have their own set of scary rules and regulations under the payment card industry.
What is a Red Flag?
A Red Flag is potential sign that Identity Theft may be occurring and businesses are required by the FTC to spot and act upon any red flags that may be a telltale sign of identity theft. Some of the requirements for compliance include:
• Developing a written red flags program to include: identifying potential red flags, detecting red flags, and a protocol to respond to red flags.
• Educating your employees on these protocols.
• Maintaining and updating your company red flags plan (this is a living law and is subject to changes, it is up to you to know what these are).
Enforcement of the Red Flag Rules begins November 1st 2009, and ignorance of this law is no excuse. Be aware that States can enforce these laws as well and many states have put their own special spin on what is required for a business to be compliant.
Who is a Candidates for Red Flag Rule?
• Doctors, dentists, acupuncturist, chiropractors, massage therapists, nutritionists, mental health providers etc.
•Lawyers (Lawyers weasel out)
•CPA's
•Contractors
• Utilities
• Retailers
• Telecommunications companies
• Debt collectors
• Employee benefit plans that sponsor a flexible spending account when the arranged using a debit card.
What if I don’t comply?
Businesses subject to Red Flags Rule must comply by June 1, 2010 or face the possibility of enforcement action by the FTC in the form of fines or other legal actions. The penalty alone per name stolen or leaked is a staggering $3,500! Your business will come to a halt while the forensic investigators are looking into the cause of the data breach. And here’s a fun stat for you - 50% of businesses that lose their critical data for 10 days or more have to file for bankruptcy immediately…fun stuff!
Moving right along, your business name by this time is more than likely “Mud” and in most states you are required to inform each and every customer that your company’s data breach has put their good names in jeopardy (ouch); and if that isn’t enough, the law also allows the consumer/victim the right to recoup their losses from you... I’m talking civil and in some cases even criminal suits here people...do I have your attention now?
Not enough you say? OK, how about losing 65% of your customers once they know that your business suffered a security breach that put their identity at risk...count on it!
So what can a business owner do to protect their business data from being harvested by a cyber crook out on the take?
1. Education. Go to the FTC’s website at: FTC Red Flags Rule and learn the facts straight from the horse’s mouth and how they apply to your businesses.
2. Get the best internet protection you can for all of your company’s computers along with a cracker jack team of IT professionals: Safe PC Solution
3. Develop and start implementing your Company’s Red Flags Rules protocol.
4. A simpler way to do this is to have a team of experts work hand in hand with you to certify that your business is following all of the Best Practices so that your company’s important personal information doesn’t fall prey to bad guys looking to sell it for a nickel a name!
In conclusion:
The US Dept of Homeland Security released a statement in September of 2009 that says that “87% of breaches could be thwarted by simple to intermediate preventative measures.”
WOW! Is that all?
Ahem, down here guys...OK, here we go.
Identity theft is a monolithic problem in the world today. Anyone from the savviest of business CEO’s to youngest babes in our society are at risk; this includes any entity such as a government or non profit agency. Not even the deceased are safe (so to speak) from this crime.
In fact ID theft it is the fastest growing white collar crime in America, and why not, most of the bad guys never get caught and nearly all consumers continue to go about their daily lives as unwary as sheep to a sheering only to find out to late that they have been misled to a financial slaughterhouse in the aftermath of having their Identity stolen.
More than ten million victims fall prey to identity theft in the United States each year and the number of victims who report this crime continues to explode every year. The reported lost or stolen personal data since 2005 is now more than 346,512,902 and this is estimated to be only 20% of what the actual numbers truly are.
What this really breaks down to is more than half of all U.S. citizens (including small children) have had their personal information stolen. And the FTC says that Every Credit Card ever issued (including Bankcards) has been compromised…Yikes, each and every one!
Is it no wonder then that the Payment Card Industry (PCI) has decided it has had enough of covering the financial losses for credit fraud (in the billions) or that the Federal Trade Commission has decided to finally step in and take action in order help stop the devastating effects of this crime by putting the liability for these breaches onto businesses through the Red Flags Rule?
Now keep in mind that credit fraud is only 33% of the problem. The other 67% is due to other nefarious practices not the least of which are data breaches from within a company i.e. a disgruntled employee or negligent security practices or (heaven forbid) no security at all, or outside breaches from cybercriminals known as black hat hackers who take advantage of the low hanging fruit due to poor security . This brings us back to the new federal laws and regulations known as the Red Flags Rule.
To whom do these laws and regulations apply?
The Red Flags Rule is an anti-fraud regulation, requiring “creditors” and “financial institutions” with covered accounts to implement programs to identify, detect, and respond to the warning signs, or “red flags,” that could indicate identity theft.
The General Rule of thumb is that if a business or entity collects, uses, transmits or stores any identifiable information about customers and or employees such as name, address, phone number, SS#, driver’s license, birth dates, medical information, Tax ID# etc. and then “credits” them for the payments they are subject to the Red Flags Rule.
The FTC uses the term “creditor” broadly so even if a business may not view itself as a “creditor” in the traditional sense of say a bank or mortgage company, the red flags rule does define “creditor” to include any entity that regularly defers payment for goods or services or arranges for the extension of credit.
However, simply accepting credit cards as a form of payment does not make a business a creditor under the Rule, credit cards have their own set of scary rules and regulations under the payment card industry.
What is a Red Flag?
A Red Flag is potential sign that Identity Theft may be occurring and businesses are required by the FTC to spot and act upon any red flags that may be a telltale sign of identity theft. Some of the requirements for compliance include:
• Developing a written red flags program to include: identifying potential red flags, detecting red flags, and a protocol to respond to red flags.
• Educating your employees on these protocols.
• Maintaining and updating your company red flags plan (this is a living law and is subject to changes, it is up to you to know what these are).
Enforcement of the Red Flag Rules begins November 1st 2009, and ignorance of this law is no excuse. Be aware that States can enforce these laws as well and many states have put their own special spin on what is required for a business to be compliant.
Who is a Candidates for Red Flag Rule?
• Doctors, dentists, acupuncturist, chiropractors, massage therapists, nutritionists, mental health providers etc.
•Lawyers (Lawyers weasel out)
•CPA's
•Contractors
• Utilities
• Retailers
• Telecommunications companies
• Debt collectors
• Employee benefit plans that sponsor a flexible spending account when the arranged using a debit card.
What if I don’t comply?
Businesses subject to Red Flags Rule must comply by June 1, 2010 or face the possibility of enforcement action by the FTC in the form of fines or other legal actions. The penalty alone per name stolen or leaked is a staggering $3,500! Your business will come to a halt while the forensic investigators are looking into the cause of the data breach. And here’s a fun stat for you - 50% of businesses that lose their critical data for 10 days or more have to file for bankruptcy immediately…fun stuff!
Moving right along, your business name by this time is more than likely “Mud” and in most states you are required to inform each and every customer that your company’s data breach has put their good names in jeopardy (ouch); and if that isn’t enough, the law also allows the consumer/victim the right to recoup their losses from you... I’m talking civil and in some cases even criminal suits here people...do I have your attention now?
Not enough you say? OK, how about losing 65% of your customers once they know that your business suffered a security breach that put their identity at risk...count on it!
So what can a business owner do to protect their business data from being harvested by a cyber crook out on the take?
1. Education. Go to the FTC’s website at: FTC Red Flags Rule and learn the facts straight from the horse’s mouth and how they apply to your businesses.
2. Get the best internet protection you can for all of your company’s computers along with a cracker jack team of IT professionals: Safe PC Solution
3. Develop and start implementing your Company’s Red Flags Rules protocol.
4. A simpler way to do this is to have a team of experts work hand in hand with you to certify that your business is following all of the Best Practices so that your company’s important personal information doesn’t fall prey to bad guys looking to sell it for a nickel a name!
In conclusion:
The US Dept of Homeland Security released a statement in September of 2009 that says that “87% of breaches could be thwarted by simple to intermediate preventative measures.”
WOW! Is that all?
Do We Certify For PCI?
This is going to be a separate charge for the client by 'Security Metrics' who will assess them for what they need based on what they are currently using (phone, swipe machine(s), computer(s) etc.) to take credit card information with. The client should expect to fill out a questionnaire (likely sent via email) as well as a scan performed on their IP address by the vendor.
When they pass they will be issued a certificate (via email) that they can display at their place of business or online if they are an e commerce merchant. They will be scanned automatically every quarter after that and they will be charged yearly for this service.
Home businesses are especially vulneralbe to hackers, arguably the most vulnerable simply because they are usually not well protected. Intruders will zero-in on home users because it is easy and requires very little work on their part to do so.
Would you leave the curtains open to a window facing a busy street while you change clothes or bathe? Would you tuck your precious children into bed at night and leave the window open with a ladder leading down to the backyard? Of course not, but most home businesses are blindly using their computers with a false sense of security that literally leaves their sensitive information exposed. cyber-crooks sneak in unseen and start exploiting a home business computers 'always on' broadband connections and the typical home use programs such as chat rooms, Internet games and file sharing applications.
And once a bad guy is in they have no problem installing hacker tools specifically developed to log every key stroke a user types. So your banking passwords and any credit card information being typed on an infected computer (theirs or a customers) are easily in the hands of a criminal faster than a bull frog can zap a fly!
Being in compliance is not voluntary, if a merchant wants to keep their privilege of taking credit card payments they must follow the rules of compliance in accordance with The PCI Security Standards Council.
Check out the link for the company site for more information about Security Metrics.
Tuesday, March 9, 2010
Is PCI DSS Compliance a Law? If not why should I care?
PCI Compliance is NOT a law. It is a set of data security standards that the Payment Card Industry (you know, Visa, MC, Am Ex, Discover and JCB) have put together in order to tighten the reigns on credit card fraud by implementing these regulations on to the merchants and the acquiring banks that provide merchant accounts.
You see, a few years back these big boys got together and said "We are sick and tired of eating it on all these fraudulent charges...its costing us BILLIONS! I know, lets pass the onus onto the banks and merchants who are going around willy-nilly without using the proper security in the first place." They all agreed this was a bang up idea, and so on September 7, 2006 The Payment Card Industry Security Standards Council (PCI SSC) was born.
Since that time ALL companies that process, store or transmit credit card information are required to maintain a secure environment. The payment brands and acquirers are responsible for enforcing compliance and if you haven't heard from your acquiring bank yet you soon shall.
A copy of the PCI DSS is available here.
Think of it this way, being able to take credit cards for payment is NOT a right it IS a privilege that the Payment Card Industry can give'th or take'th away. It's like when you walk into a store that has a sign that reads "No Shirt, No Shoes, NO SERVICE!" that means they require their customers to come in with foot wear and a covered torso.
They reserve the right to NOT do business with you based on this rule. It is the proprietors store and those are the rules, if they don't want to look at your bare feet and and whatever tattoo you may be sporting on your latissimus dorsi they can toss you out... PERIOD.
So it goes with PCI Compliance, if you want to play ball (do business) with these guys on their playing field you need to follow THEIR rules or they will simply take their ball and go home.
Now for goodness sake, put your dang clothes on and get your business certified PCI DSS compliant...
Subscribe to:
Comments (Atom)
Posts
