By Michael Zinni
Every week we hear about another company that has had sensitive, customer information stolen from them. For every company that you hear about, how many more thefts go unreported or even worse, unnoticed? I see old applications, and even new applications, that do not properly safeguard the sensitive information that they are collecting.
The most obvious information that needs to be protected is your customer’s credit card numbers. Most payment processors now require signed paperwork stating that you will not store credit card numbers on your own computer in any fashion, for any reason. Credit card information must be transmitted for processing immediately through your credit card machine or through your processor’s secure web site portal.
Most payment processors now provide flexible recurring billing capabilities directly on their portal web site thereby removing the need for you to store and then submit credit card information monthly. It makes me more than a little nervous when a vendor already has my credit card number “on file”. If you are not familiar with your processor’s secure web site portal, ask your representative for a demonstration. There is no reason to store your customer’s credit card information anywhere on your computer network; allow your payment processor to assume that risk!
Online credit card payments must be submitted directly to the processor’s web site through a secure gateway. The processor’s web site provides the security certificate for this transmission. I recommend that you also have a security certificate for your web site to provide your customers with the assurance that all information is transmitted securely. The logo of the security certificate and payment processing gateway should be prominently displayed during the checkout process along with a link that will allow your shoppers to check their validity. These validity-checking tools are readily available from reputable security certificate vendors and payment processing gateways.
Identity theft is the one of the fastest growing crimes because “non-sensitive” personal information is readily available to supplement the sensitive information that can be obtained fraudulently. If you are storing social security numbers, driver’s license numbers, date of birth and e-mail address information you must evaluate the security of this information. This information must be encrypted, and access to this information must be limited.
Access to large quantities of e-mail addresses is a favorite target of would-be spammers, but e-mail addresses have become much more valuable, even in small quantities, to identity theft criminals. Many web sites use an e-mail address as half of their login credentials. With the e-mail address in-hand, the criminal only has to find the password to break into the web site account. There are plenty of automatic programs available that will throw an infinite number of possible passwords at a web site attempting to gain access. This makes the storage of e-mail addresses critical too.
If you have an extranet that allows your customers or vendors to login for access to information, their user names and passwords must be encrypted and stored securely. You may not be storing any other sensitive information but identity thieves know that people (foolishly) use the same user name and password combination for multiple web sites.
Medical records add another layer of complexity. HIPAA regulations are complicated, and compliance rules are most often described as “use of industry best practices”. Using a reputable, third-party application that meets the HIPAA requirements to manage your information is highly recommended. Be sure to apply their bug-fix releases in a timely manner and to purchase their upgrades as they become available to remain compliant. Failure to do so may leave your information exposed.
As a business owner, you are responsible for the information that you collect and store. Many businesses allow remote access to their “internal” computer networks. Some companies even host their web sites on an internal server (not a good idea). If the remote access or web server is not configured and maintained properly, a security breach can allow access to all the computers on the network.
Are you legally responsible? Heartland, Honda, Sony and the Defense Department (among many others) have all been for sued for exposing personal or financial information. The question posed in these lawsuits is “did you take every reasonable step to protect the information?”
Answer these questions to understand and secure your sensitive information: What sensitive information are you storing? Is it necessary for you to store each of these pieces of information?
Where is the information being stored? Is it in a secure database or a proprietary third-party format? Or is it in a Microsoft Excel spreadsheet?
Is the information stored on a limited-access, internal computer or is the information stored on a computer with access from the outside world (i.e. a web server or a networked computer with remote access from outside the network)? Is that computer configured properly and up-to-date?
Who has access to this information? Do they need access? Is access removed when the person no longer requires access?
Is the information encrypted? Contact the vendor that created the application or the web site, and ask them to show you how the information is stored and encrypted.
Is the sensitive information contained in your computer backup? Who has access to the backup files? Is the backup secured?
What is the process of obtaining the sensitive information and storing it? Are there vulnerabilities along the way? Can your process be streamlined and weaknesses eliminated?
Is an independent audit necessary? Security audits are available to determine the vulnerability of your network, your information and your processes. Depending on the sensitivity of the information that you are storing and the manner in which it is stored, an independent assessment may be a great investment.
Your IT professional along with the creators of the applications that you use will be able to answer these questions so that you can make the necessary changes to protect the information. If you have any doubt, I highly recommend an independent audit.
There is risk in storing personal information and your customers are becoming more cautious in providing that information. To remain competitive, in fact to remain in business, you must be able to prove that you respect your customers’ information and that you take this risk seriously.
Michael Zinni is president of ZinCastle Software Systems of Saratoga Springs and Roanoke, VA. He can be reached by calling 290-7009 or by visiting the website: www.zincastle.com.