The Importance of Data Security
In late summer of this year, news broke that Equifax had been the victim of a massive data breach, likely one of the largest thefts of consumer data ever---see article here. As one of three primary agencies charged with tracking consumer credit in the US, Equifax fully understood the consequences of what it means for a consumer to have sensitive financial data stolen. While it appears that a sophisticated hack was involved, the case highlights the importance of data security and the risk that a company takes on in handling sensitive data.
The theft of one’s Social Security number, credit card data, or other personal data can cause many problems in today’s world. It also costs businesses billions of dollars (maybe it’s trillions of dollars by now) a year in handling the related fraud, not to mention the effect on the invaluable reputation of a business. Data security encompasses the need to protect a wide range of data, whether it’s financial, demographic, or general personal information like names and email addresses. At AdvantageCS, we’re constantly focused on the full range, but we’ve especially been working with our clients on PCI compliance in the past couple of months.
Industry Standards Combat Fraud
When the major players in the payment card industry teamed up over a decade ago to form the Payment Card Industry Security Standards Council (PCI SSC), it was their intention to put in place standards that all companies handling payment card data would follow in order to combat fraud. The requirement to follow those standards, the Payment Card Industry Data Security Standards (PCI DSS), in order to handle payment card data, has resulted in businesses often being pushed to implement more secure practices.
Advantage Is PA-DSS Compliant
As an application that accepts payment card data, Advantage is required to be PA-DSS (Payment Application Data Security Standards) compliant in order to assist our clients in meeting their PCI obligations. As an added measure to help our clients meet the strict requirements of PCI DSS, AdvantageCS first had the Advantage application independently certified as PA-DSS compliant with our 2011r1 release. Since then, we’ve continued to invest in PA-DSS certification on an on-going basis. As we’ve made the transition to continuous updates, however, with a new version of the software available every month, we’ve realized that ensuring PA-DSS certification on a monthly new version is extremely challenging. To achieve PA-DSS certification, AdvantageCS is required to have many of our internal processes audited, our source code reviewed, and the application penetration tested by a qualified auditor. The results of that audit then need to be approved by the PCI SSC before Advantage is officially certified. This arduous, though important, process is required for certifying any given release.
New Card Vault Simplifies Certification
As we work to ensure that a certified version of the application is available to our clients each time they move to a new release, we have now begun a project called Card Vault. This high priority project is isolating the payment card functionality in Advantage and moving it to a separate application. By isolating this functionality, AdvantageCS will no longer need to re-certify the entire Advantage application for each monthly release. Only when changes are made directly to the credit card application will re-certification be required. This makes it easier for AdvantageCS to maintain certified software and also makes it easier for our clients to ensure they’re on a version of the software that has been certified.
Card Vault will be rolling out in the coming months and will introduce some changes in how payment card data is stored and maintained by Advantage. For most of our clients, the change will be nearly invisible. It will be part of our standard upgrade/update process to migrate our clients to this Card Vault, which will be a mandatory move. But rest assured that we’ll make it as seamless as possible. And we expect no degradation whatsoever in performance. We’ll provide more details over the coming months as we prepare to release these changes.