January 18, 2008

Making the Case for PABP

Companies that have already had to contend with the security regulations of Visa’s
CISP, MasterCard’s SDP, American Express’ DSOP and Discover’s DISC, before they were
bundled together as PCI DSS, may have witnessed widespread rolling of the eyes among
managers at the unveiling of Payment Application Best Practices (PABP). Just what
they need
–another spoonful of alphabet
soup to further complicate their lives. >

Ready or not, however, implementation of PABP began as of January 1 of this year,
which means IT executives and senior managers are faced with the task of selling the
need to take action to their management teams.

While “It’s the law” may be compelling enough by itself to induce the necessary measures,
those making the case for PABP should also focus on the sound business reasons behind
the mandates. Strong security measures, especially those that may have an impact on
customers, are vital to the preservation of a company’s good reputation and to maintaining
client loyalty. As with PCI DSS, adherence to PABP would be the right move even if
the legislation did not exist.

PABP validation assures merchants and their customers that their point-of-sale systems
are not storing prohibited credit card information, which includes full magnetic stripe,
card validation code or value (CAV2, CID, CVC2, CVV2), or PIN block data. Encryption
alone is not enough
–data storage beyond what is
absolutely necessary (the cardholder’s name, primary account number expiration date
and service code) has been a primary cause of costly breaches. >

PABP should not signify a company’s introduction to sound security policy. The measures
recommended by PABP are actions that should already be considered a priority, especially
as they impact the handling of credit card information, personal orders, client histories
and any other information that can potentially be compromised.

Hackers target merchants with vulnerable payment applications. As their methods grow
more sophisticated every year, it simply doesn’t make sense for any company to store
sensitive customer information, or to not provide secure password features, or to
make certain that wireless transmissions are not protected. PABP can play a vital
role in maintaining consumer trust and the integrity of payment transactions.

But if your management team still isn’t convinced to take a closer look at their point-of-sale
system via a PABP audit, add three more letters to their alphabet soup
–TJX, as in TJX Companies, Inc.
According to the U.S. Securities and Exchange Commission, more than 45 million credit
and debit card numbers were stolen from a TJX system over a period of 18 months. In
addition, personal data provided in connection with the return of merchandise by more
than 450,000 individuals was also stolen. >

Since then, the company has been in the process of contacting those individuals affected
by the breach. Those who believe the efforts necessary to comply with PABP will be
a distraction from doing business should stop and consider the level of inconvenience
necessary to call thousands of customers (many of whom probably won’t be customers
for long) and tell them what happened to their stored credit card data.

Compliance with PABP is about more than obeying the law; it’s about smart business
practices, and protecting the importance of your brand, as well as the customer’s
confidence in that brand. PABP implementation is an investment in your company that
will pay dividends throughout the business cycle.