Data Compromises: Not Just for Merchants Anymore

Visa recently reported that over 80% of U.S. level one merchants (those with more than six million transactions yearly) have achieved PCI DSS compliance. This is welcome news, but does compliance signal an end to data security compromises? Unfortunately the answer is no.While improved compliance of level one merchants is important, it will not deter criminals who have been making millions of dollars from stolen cardholder data. These individuals will either strengthen their efforts to defeat PCI protections or they will look for new and less secure targets. These new targets could be small to mid-size merchants or your credit union.Another disturbing piece of information: criminal hackers are expanding their horizons beyond credit and debit card account information to target asset and trading accounts and bill payment transactions. Recent federal investigations have revealed that computers confiscated from hackers contained not only credit and debit account information but asset account data as well. This indicates that many financial institutions, including credit unions, could become alluring targets for fraudulent activity.Credit unions can take some very practical, low-cost steps to protect their data.Look at your current in-house operating environment. What sensitive data are you storing? There should be a compelling business need for every piece of account data you store. If you cannot identify the business need, do not retain the data. When data compromises within the merchant community first came to light, in many instances merchants were not even aware they were storing sensitive data and ultimately could not rationalize why they were storing it.Where are you storing data? Is it segmented into a more secure part of your system architecture or does it reside in the mainstream of your systems environment? Could you store the sensitive data elsewhere, such as a trusted processor, and still operate efficiently? The sensitive data you identify as critical to your business needs should be in a secured segment of your system or sent off-site to a trusted partner. If PCI DSS-defined sensitive data is not resident in your in-house environment, you have greatly reduced your exposure to risk.Is your credit union compliant with PCI DSS? All Visa and MasterCard issuers are required to be PCI DSS compliant. Visa and MasterCard do not currently require issuers to formally validate compliance, but your credit union still needs to be compliant. If your credit union experienced a data compromise, you would be subject to the same Visa or MasterCard fines and penalties that merchants and processors face today. Is your processor compliant? Are third-party agents that touch your data compliant? Under the PCI DSS program, you are obligated to ensure any third party that interacts with sensitive data from your institution is PCI DSS compliant. For more information, visit www.pcisecuritystandards.org.Achieving PCI DSS compliance will reduce risk to all your sensitive data, even data not specifically defined within the scope of PCI DSS. Firewall protection, access controls, encryption and other core PCI DSS requirements will provide protection beyond credit and debit account data if deployed across your entire systems environment.No credit union wants to be the first to face the negative impact of a data compromise. Merchants sell consumer goods and services. Financial institutions, especially credit unions, sell trust. Trust is core to the value proposition credit unions offer their members. While some merchants with data compromises have successfully spun themselves as victims, credit unions will be held to a higher standard.Criminal hackers are not going away. Now is the time to focus on taking steps to secure your data environment. As criminals begin to exploit new types of data and explore new targets, make your credit union doesn’t present an attractive opportunity. You do not want to be that credit union.