Databases with credit card information are one of the most sensitive risk points of modern business. If cyber crooks can lift the data and steal from the customers it can wreak havoc with a company's reputation and possibly land it in the courts, but according to Richard Hollis too many are not doing enough to protect credit card details.
The CEO of The Risk Factory, a consultancy for information management services, describes the danger of database theft as "the biggest threat you can transmit on the web", and that black market prices for the data show it is growing.
"The going price 10 years ago for name, address, card number and expiration date was about £10 per record - so 10,000 would bring £100,000 - but now it's down to 50 pence and that's just supply and demand," he says.
The Payment Cards Industry Standards Council provides a framework of controls for protecting the data - 288 of them, extending into areas such as configuring firewalls, how to use antivirus software and security policies. While Level One merchants - those that handle more than one million transactions per year - need third party verification to show they comply, others can carry out a self-assessment that is signed off by a director.
But Hollis says it can be expensive to comply with the standards, even for a small company; one that uses a web facing architecture to process payments can easily pay in excess of £10,000. It can also be very time consuming, and if any of the process is outsourced the standards should be enforced at all stages.
He believes that full compliance is very rare, but sees the solution in simplifying the approach to managing credit card data, and advocates a five step approach that he claims can save money while reducing the risk.
"Number one is discover and document," he says. "You have to conduct an inventory of your card data. You can't shrink what you haven't measured.
"Draw a network diagram depicting your card data like a heat map, writing down all your devices to show where the data resides. For example, the data is on this server, that laptop, that desktop, etc.
"The next step is destroy and descope. If you don't need it get rid of it, whether it's hard or soft copy.
"Take your time and use your map. For example, if you have card data in Outlook because it's been sent to you by email, the web server is 'in scope' and all the 288 controls apply to it. So you have to ask 'Why do we need it on Outlook, why is it on memory cards, and then delete, delete, delete.
"Also, any third parties connected to your system are in scope. If you are connected and they don't need access to card data, take them out of scope.
"Third is outsource and oversight. If you can outsource that website and make it their responsibility you transfer the risk. You make sure you've got a contract that makes clear who is responsible.
"For instance, when somebody wants to buy your product, I can give them a payment gateway and they can go to a payment processor. You just contract for PCI compliance with the payment processor.
"Then if you can't do that, separate and segment. The 288 controls only apply to the architecture that facilitates the processing, storage and transmit of that data. Separate any device that is not involved in this, so it will move out of scope and you can save money."
Hollis describes the final step as "tokenisation", taking the credit card numbers out of the process as much as possible. A web server can send credit card data to a token server, which disguises the credit card number and pushes a token – a different 16 digits - through the rest of the system for authentication.
The cross-reference for the credit card to match that value is only maintained on one server. Meanwhile, anywhere the token is sent does not have to be subject to PCI requirements as it does not use the actual credit card data.
Hollis acknowledges that the second step – destroy and descope – is a source of tension as businesses want to retain customers' details for future sales. Online sellers usually issue cookies on the first transaction so they can recognise a computer, and as they have the data, make the following transactions easier.
"That's the problem," he says. "How long do you need to keep my credit card details if I buy something from you?"
This warrants some searching questions, and a recognition of the risks involved in hanging on to the data.
Hollis says that companies need to ask: "Why are you keeping that credit card data? The more credit cards you have on a database the more you become a target for hackers, and are those people really going to buy from you again, and is it that much of an inconvenience?
"Everybody wants to have it, and nobody understands the responsibility that goes with it."
He makes it clear that nothing is guaranteed by complying the framework: it's for risk management, not elimination, and it's possible that a business could take all of the 288 steps and still suffer a breach. But if a company winds up in court because of data being stolen, it can show that it applied due diligence by following the framework.
His message to small and midsized businesses to is recognise the sensitivity of credit card data, that it is a valuable commodity to cyber criminals, and that they have a responsibility to protect it.
"Look at the business, understand the responsibility, and be ready to accept the responsibility and the liability," he says.
Richard Hollis will be speaking on the PCI standards at the eCrime Wales Summit on 27 March.