Credit Card Processing Blog

We received an incredible amount of feedback to our post last week on the Zappos data breach. The interesting thing about it was that while most of the readers came from our Facebook page, where all of our new articles are immediately posted, and a decent number of them hit the “Like” button, the vast majority of the responses came from Twitter. As a side note, that is beginning to become a trend now and we’d be interested in hearing what experience you’ve had with reader engagement to blog posts published on your business’ Facebook page and a Twitter account.

But let’s move on to the issue at hand. It’s been ten days now since Tony Hsieh, CEO of Zappos.com, the Amazon-owned online shoe and apparel retailer, announced in an email that his company had suffered a data breach. We were so impressed by Zappos’ response that we analyzed in detail Hsieh’s email in our initial post and suggested that everyone who may ever have to deal with a similar crisis should use it as a template. But how has the company done since then and more importantly, how have Zappos’ customers been affected in the event’s aftermath?

Well, the retailer has again done an outstanding job and deserves the highest marks for its efforts and, as best we can tell, its customers have suffered no lasting damage at all.

What Has Zappos Done since It Announced the Data Breach?

Following the initial email announcing the breach, Zappos has published two updates on the web page that was specially created for the purpose of keeping customers, and the outside world at large, informed on the progress the retailer was making in getting things back to normal. These updates were terse and to the point.

The first one explained the meaning of a technical term – “cryptographically scrambled” – and informed readers that the company was cooperating with the FBI in its investigation, which is following the standard procedure for dealing with the aftermath of a data breach.

The second update announced that Zappos’ phone system was again functioning as normal, after being intentionally turned off following the event, because it would not have been able to handle the expected volume of incoming calls (which was explained in Hsieh’s email).

So, while the investigation is still ongoing, things are now back to normal at Zappos. But what were the consequences for its customers?

What Is the Damage to Zappos’ Customers?

I read somewhere that the attorneys for a Zappos customer are seeking a class-action suit against the retailer, which was more or less to be expected. But how justified are consumers’ worries in this case? Well, to answer that question we’ll need to understand exactly what information has been compromised.

Zappos told its customers that:

[T]here may have been illegal and unauthorized access to some of your customer account information on Zappos.com, including one or more of the following: your name, e-mail address, billing and shipping addresses, phone number, the last four digits of your credit card number (the standard information you find on receipts), and/or your cryptographically scrambled password (but not your actual password).

We were also told that:

THE DATABASE THAT STORES OUR CUSTOMERS’ CRITICAL CREDIT CARD AND OTHER PAYMENT DATA WAS NOT AFFECTED OR ACCESSED.

So the hackers seem to have gained access to some of the information stored in Zappos’ customer profiles. It is unclear whether or not the criminals may have been able to actually access the customers’ accounts, because we don’t know if they could have retrieved the associated passwords. But even if they could have done that, that wouldn’t have been all that big of a gain. They could have attempted to place an order, which, even in the unlikely event that it went through, would’ve been immediately disputed and the cardholder would have been reimbursed for any financial losses. Moreover, any bank card information that may have been stored in a compromised profile would have been unusable, because it only displays the last four digits of the account number.

At the end, given that the data breach was immediately discovered and the passwords reset, the criminals would have been left with information that for the most part is usually freely available on Yellow Pages.

The Takeaway

The significance of the Zappos data breach should not be minimized and I’m not attempting to do so. Such events are potentially hugely damaging both for the affected business and its customers, so every effort should be made to prevent them from occurring. If a business is found to have not complied with existing data security standards or to have otherwise been lax in safeguarding sensitive customer information, it should be held accountable for its carelessness. We don’t yet know whether Zappos is guilty on any of these counts, so, though I reserve the right to comment on that issue when information becomes available, I can’t do so at present.

However, the fact remains that Zappos’ response to the crisis has been exceptional and the company deserves to be commended for it. But the real good news is that Zappos’ customers have suffered no lasting damage.

Image credit: REUTERS/Zappos.com/Handout.

Learn how to lower your card acceptance cost

Learn how to accept credit and debit cards at the lowest processing costs. The Payment Card Acceptance kit contains a video and an e-book:

• Video – Card Acceptance Best Practices for Lowest Processing Costs (18 min).
• E-Book – Payment Card Acceptance Guide (19 pages).

We’ve written about the mechanics of dealing with data breaches on this blog several times before, but Zappos, the Amazon-owned online shoe and apparel retailer, is giving us a great real-time lesson on the subject that everyone who may ever have to deal with the issue should look to for guidance. There is a lot to be learned.

Zappos has built its reputation around, and owes its huge success to, providing an exceptionally high level of customer service, including a 365-day no-questions-asked return policy. Zappos customers, this blogger very much included, really feel that their satisfaction is the retailer’s top priority and there is nothing to test the validity of this belief as a confirmed breach of sensitive customer account data. But as I said, Zappos is meeting the challenge with flying colors.

Crisis Management Lessons from the Zappos Data Breach

Zappos announced the data breach in an email from founder and CEO Tony Hsieh to all of the company’s employees that was also published on the retailer’s blog for the whole world to see. This email deserves close examination, as it should be used as a crisis management template by everyone who finds his company in a similar predicament. Let’s do it.

Lesson 1: get everyone involved. By addressing all of his employees, Hsieh makes it clear to both his own organization’s staff, as well as to the outside world, that this is an issue that is the responsibility of everyone within his company to help dealing with.

Hsieh begins his email thus:

Please set aside 20 minutes to carefully read this entire email.

Lesson 2: make the gravity of the situation immediately clear. It is a short email that takes a few minutes of careful reading to get through, but Hsieh is asking that employees spend much more time on it. Why? Because the issue is critical and he wants everyone to understand that and give it some thought.

Then the CEO tells us what took place:

We were recently the victim of a cyber attack by a criminal who gained access to parts of our internal network and systems through one of our servers in Kentucky. We are cooperating with law enforcement to undergo an exhaustive investigation.

Lesson 3: get straight to the point and tell it like it is. Once you’ve got everyone’s attention and made it clear how important the issue at hand is, the only sensible way to proceed is to describe the matter clearly and concisely. Hsieh does just that.

Now Hsieh tells us that he is not allowed to provide specific details, but adds this:

…THE DATABASE THAT STORES OUR CUSTOMERS’ CRITICAL CREDIT CARD AND OTHER PAYMENT DATA WAS NOT AFFECTED OR ACCESSED.

Lesson 4: don’t overblow the positive aspects (if any). The problem is huge and you’ve already made that point clear. Now, if there is anything that is positive about the story, tell the facts, but don’t make it sound as if it is equally, never mind more, important than the bad news. Doing so would weaken the message of urgency you are sending. That’s also why in his letter to Zappos’ customers that follows the one to his employees, Hsieh refers to this aspect of the story as “the better news,” not a good or positive one.

Hsieh finishes his email in this way:

The most important focus for us right now is the safety and security of our customers’ information. Within the next hour, we will begin the process of notifying the 24+ million customer accounts in our database about the incident and help step them through the process of choosing a new password for their accounts. (We’ve already reset and expired their existing passwords.)

Lesson 5: reiterate your commitment to solving your customers’ problem and say what you are doing about it. You need to look at the issue through the eyes of your customers. They don’t care what your company is going through or how much the cleaning up process will cost you. The only things your customers care about is how big the damage is and what you are doing to protect their interests. That’s what you should be telling them and that is precisely what Hsieh has done.

Then Hsieh attaches the email that his company will be sending to its customers, which informs them of the data breach and tells them what the company has already done to remedy the issue. The letter also asks that customers do the following:

PLEASE CREATE A NEW PASSWORD:

We have expired and reset your password so you can create a new password.

Lesson 6: tell your customers what they need to do. As your customers’ accounts are now compromised, new log-in credentials need to be created. Make this process as simple and straightforward as you can and clearly tell your customers what they need to do. Again, Zappos has done just that.

The letter provides a link to a page where Zappos customers can go to for updates and also informs them that:

We have made the hard decision to temporarily turn off our phones and direct customers to contact us by email because our phone systems simply aren’t capable of handling so much volume. (If 5% of our customers call, that would be over 1 million phone calls, most of which would not even make it into our phone system in the first place.)

Lesson 7: if your customers will be inconvenienced in some way, inform them beforehand and explain why. The worst thing you could do, if things started working differently from the way they used to, would be to keep customers in the dark as to the reason. That would be a sure way to provoke a torrent of negative publicity in the form of angry tweets and comments on the news stories covering the event. So if your customers will be seeing changes in the way you communicate with them, tell them what they should be expecting and why (and make sure there is a good reason for it!).

The Takeaway

Bad things do happen and data breaches are certainly no exception. Your customers understand that and will give you the benefit of the doubt, if you do suffer a breach, unless you’ve been egregiously negligent in protecting their information. Your response to the crisis will be the only thing that determines whether the issue is resolved with minimal damage and inconvenience to your customers or it deteriorates into a PR disaster.

Zappos is giving us a lesson on how to do this properly and we should all be taking notes.

Image credit: Resimbul.com.

Learn how to lower your card acceptance cost

Learn how to accept credit and debit cards at the lowest processing costs. The Payment Card Acceptance kit contains a video and an e-book:

• Video – Card Acceptance Best Practices for Lowest Processing Costs (18 min).
• E-Book – Payment Card Acceptance Guide (19 pages).

All U.S. merchants must comply with the requirements of the Payment Card Industry Data Security Standard (PCI DSS), which is designed to ensure keeping sensitive bank card information safe. In fact, all entities that store, process, or transmit cardholder information must be PCI compliant, although PCI DSS audits are only required for some merchant types.

The PCI DSS consists of twelve basic requirements, which I will review in this article.

12 Basic Requirements for Keeping Credit Card Data Safe

All financial organizations, merchants and service providers that handle payment card information must adhere to the PCI DSS twelve basic requirements, which are listed in the table below.

Additional Merchant Data Security Requirements

All merchants that store, process or transmit bank card information are required to:

• Keep all storage devices containing card account numbers – whether on paper or electronically – in a secure area accessible only to selected personnel. When handling paper receipts, merchants should take great care during the storage or transfer of this information. Merchants should at all times:
  • Provide the drafts to their processor.
  • Destroy all copies of the drafts that are not delivered to the processor.
• Make all card data unreadable, both in storage and before discarding.
• Never store full-track, magnetic-stripe, CVV2, and chip data after receiving the transaction authorization response. Merchants can retain the cardholder name, account number and expiration date, but storage of all other data is strictly prohibited.
• Use payment applications that are compliant with the PCI Payment Application Data Security Standard (PA-DSS). A list of validated payment applications you can find at www.pcissc.org.
• Know your liability. Your merchant agreement may contain provisions that hold your business liable for losses resulting from compromised card data if your organization (or your third party processor, if applicable) lacks adequate data security. Make sure that you read the agreement carefully and understand your liabilities.

The Takeaway

The PCI DSS is a work in progress and your processor will periodically be sending you updates on the latest changes to the standard. Do not ignore these communications, but adjust your data security procedures accordingly to ensure compliance, even if it seems to you that what you are asked to do is unnecessary or unreasonable. There is usually a good reason behind these changes and anyway, compliance is mandatory.

Learn how to lower your card acceptance cost

Learn how to accept credit and debit cards at the lowest processing costs. The Payment Card Acceptance kit contains a video and an e-book:

• Video – Card Acceptance Best Practices for Lowest Processing Costs (18 min).
• E-Book – Payment Card Acceptance Guide (19 pages).

We all hope it will never happen to us. A breach of the data security system of any company that stores payment card account data can be an enormously damaging event. Most of the damage is done to the company’s reputation, as consumers are protected against fraud and at most can suffer from the inconvenience of having to get their account information updated and their cards re-issued. Still, no one enjoys having their privacy violated.

Data Breaches Do Happen

Yet, as recent events with Sony PlayStation’s data breach remind us, our efforts to keep sensitive card account information from falling into the wrong hands are unfortunately not always successful. Of course there are those who are now pointing to a laundry list of lapses in Sony’s data security system, but then hindsight vision is always 20 / 20.

The point is that there are plenty of things that can go wrong and plenty of hackers out there that are working hard to identify these week spots and exploit them. Sometimes the bad guys are successful.

I am not saying that we should simply accept data breaches as part of life. On the contrary, there are a number of security measures that can and should be taken and we have written about many of them in previous posts. Moreover, compliance with PCI DSS requirements is mandatory and can go a long way towards securing your customers’ data.

What I am saying is that we should be prepared to handle the aftermath of a data breach, in case it happens, because history teaches us that no security system is impenetrable and the hackers sometimes gain the upper hand.

What to Do if Your Data Security Is Breached

You need to develop and implement a system that will enable you to detect suspected data breaches and respond quickly to limit the damage in case data are indeed compromised. If you suspect or have confirmed that your data security system was breached, you need to take the following actions:

• Contain and limit exposure. To prevent any further loss of data, immediately investigate the event within 24 hours of the suspected or confirmed compromise. In particular:
  • Do not access the systems that were compromised and do not change any log-in details.
  • Do not turn off the compromised system, but unplug the cables that connect it to the rest of your company’s network.
  • Attempt to save the logs and all other information that can be used in the course of your investigation.
  • Document all actions that you have taken.
  • If using a wireless network, change its access code and name on the access point. Update all systems accordingly, except the compromised one(s).
• Contact all affected parties. All parties that could be affected by the data breach should be immediately contacted and alerted of the security breach. In particular, contact:
  • Your internal security group, if applicable.
  • Your company’s legal department.
  • Your payment processing provider.
  • The local authorities and the FBI.

Your processor will alert Visa, MasterCard and the credit card companies and they will contact you to assist in your investigation. Each affected credit card company or association may send a team on-site to try to identify the security deficiencies that led to the breach and determine what needs to be done to prevent such events from occurring in the future.

You will need to identify all compromised card account numbers and distribute them to the respective credit card companies and associations and there is a procedure that you will need to follow to do that. These numbers will then be sent to the cards’ issuers for replacement.

Learn how to lower your card acceptance cost

Learn how to accept credit and debit cards at the lowest processing costs. The Payment Card Acceptance kit contains a video and an e-book:

• Video – Card Acceptance Best Practices for Lowest Processing Costs (18 min).
• E-Book – Payment Card Acceptance Guide (19 pages).

The Payment Card Industry has established a series of technical and operational requirements for protecting cardholder data. These security standards are mandatory for all entities that store, process or transmit cardholder data. More specifically, merchants, payment processors and third-party service providers are required to be in compliance with the most current Payment Card Industry PIN Transmission Security program (PCI PTS) and Payment Card Industry Data Security Standard (PCI DSS).

Additionally, processors, service providers and merchants are required to comply with all of the following requirements:

• A terminal or any other device at the point-of-sale (POS) does not display, replicate, or store any card-read data except card account number, expiration date, service code, or cardholder name. Remember that merchants should never store the card security codes (CVV2, CVC 2 and CID) and account numbers should be truncated to only display the last four digits, replacing all preceding digits with fill characters, such as “x,” “*,” and “#.” The table below lists the information that can and cannot be stored:
  
  

  Data Type	Data Element	Storage Permitted	Protection Required
  Cardholder data	Primary account number (PAN)	Yes	Yes
  	Cardholder name*	Yes	Yes
  	Service code*	Yes	Yes
  	Expiration date*	Yes	Yes
  Sensitive authentication data**	Full magnetic stripe	No	n / a
  	Card Verification Code	No	n / a
  	PIN / PIN block	No	n / a

  
  * These data elements must be protected if stored in conjunction with the PAN. This protection must be consistent with PCI DSS requirements for general protection of the cardholder environment. Additionally, other legislation (for example, related to consumer personal data protection, privacy, identity theft, or data security) may require specific protection of these data or proper disclosure of a company’s practices if consumer-related personal data is being collected during the course of business. PCI DSS; however, does not apply if PANs are not stored, processed, or transmitted.
  **Sensitive authentication data must not be stored subsequent to authorization (even if encrypted).

• Any media containing cardholder and account information, including account numbers, personal identification numbers (PINs), credit limits, and account balances needs to be rendered unreadable, before discarding.
• Access to account data stored in computers and terminals is limited and controlled by data protection procedures, such as a password system for Computer Remote Terminal (CRT) access and control over dial-up lines.

Processing banks, merchants and third-party service providers that use wireless LAN technology to connect networks or servers that process or store bank card transaction or account data are required to comply with all of the following requirements:

• Implement Wi-Fi protected access (WPA) technology for data encryption and authentication when the wireless LAN technology is WPA-capable. Use of a Virtual Private Network (VPN) is also recommended.
• When the wireless LAN is not WPA-capable, a VPN must be implemented.
• Wireless Equivalent Privacy (WEP) must not be the sole method used to protect confidentiality and access to a wireless LAN. Moreover:
  • Since March 2009, it is prohibited to use WEP for new wireless LAN technology implementations.
  • Since June 2010, it is prohibited to use WEP for existing wireless LAN technology.

For more information on the PCI DSS requirements, you can refer to our PCI Data Security Standard Compliance post from a few months back.

Learn how to lower your card acceptance cost

Learn how to accept credit and debit cards at the lowest processing costs. The Payment Card Acceptance kit contains a video and an e-book:

• Video – Card Acceptance Best Practices for Lowest Processing Costs (18 min).
• E-Book – Payment Card Acceptance Guide (19 pages).