In the meantime, there is no need to wait until it is required. You can start doing it now.
I am reminded of this whole topic by the post in Brian Krebs' blog describing fake/compromised POS devices used by criminals to steal card data. At least one criminal is selling compromised POS devices -- including top-of-the-line cellular-based wireless devices -- that capture the mag stripe, and print a receipt, but never actually complete the transaction.
This scam is not new. I remember stories during my time at Visa about merchants who "sold" goods for the sole purpose of collecting payment card data. Customers were surprised they never saw the charge for the t-shirt or other tchotchke on their account statements. The reason was that the "merchant" never had any intention of charging their card -- they were just skimming the stripe. Giving away the merchandise was a minor cost of doing business.
The difference today is that the scam is getting more sophisticated.
So some advice for everyone is:
- Check your own POS devices for evidence of tampering regularly (monthly? weekly?). What is a good practice today may be required by PCI tomorrow.
- Contact your issuer if you buy merchandise and no charge appears on your statement (no, you didn't get a special deal...you possibly were scammed). And if you used a debit card (eek!), get very, very worried.
- Never, NEVER get POS devices from anybody but your acquirer.
- Continue to monitor security websites other sources of information (like the list of blogs on the right) to stay current.
Posts
No comments:
Post a Comment