PCI Compliance for Firms Which Accept Credit Card Payments

July 6th, 2010

Does your firm allow or require clients to pay by credit card?  If so, you want to make sure you’re meeting the requirements created by recent federal legislation regarding credit card companies.  The new standards apply to anyone who accepts credit cards, including lawyers and law firms.  Montgomery County attorney Deborah Zitomer has generously allowed me to share her explanation regarding this topic, which is as follows:

 The person who manages my credit card payments told me that the compliance is a new requirement under the recently passed federal legislation regarding credit card companies.  If you take credit cards, you need to be in compliance with the credit card company’s standards and regulations or they can refuse to process payments for you, or can fine you. The standards apply to anyone who accepts credit cards for payments, so lawyers and firms need to be compliant!

Below is an excerpt about compliance and standards for those who accept credit cards as part of their practice.  You can also take a look at the website for PCI.

The major credit card issuers created PCI (Payment Card Industry) compliance standards to protect personal information and ensure security when transactions are processed using a payment card.   All members of the payment card industry (financial institutions, credit card companies and merchants) must comply with these standards if they want to accept credit cards.  Failure to meet compliance standards can result in fines from credit card companies and banks, and even the loss of the ability to process credit cards.

There are six categories of PCI standards that must be met in order for a retailer to be deemed compliant.

1.   Maintain a secure network

 

This standard refers to the actual network that cardholder data resides upon. In the case of an online business, the most obvious vulnerability for this standard is the web server. Luckily, most hosting companies take responsibility for ensuring the security of their networks. However, there is more to this standard than meets the eye.  Do you keep cardholder data (even just names) on a laptop that you use on public networks?  Does your office network have a firewall installed and reasonable security measures in place?

In short, whenever any personal information about a cardholder is stored on a computer (which is also connected to a network), that computer should be behind a firewall and all reasonable measures should be taken to protect that particular network.

2.    Protect Cardholder Data

 

This category focuses on how cardholder data is stored and transmitted. Business owners that choose to store cardholder information have an obligation to protect that data. Protecting information means that not everyone can have access that it. Businesses that store actual credit card numbers will often store them as encrypted data, so that even if someone got access to the database they still could not decipher the information in it.

E-commerce businesses need to be especially attentive to the way that cardholder data is transmitted. When a customer makes a purchase on a website, his/her cardholder information is sent across the Internet. During that transmission, cardholder data must be encrypted with at least a 128 bit SSL certificate in order to meet this standard.

3.   Maintain a Vulnerability Management Program

 

This one is relatively simple, and translates to keeping up-to-date with your protection systems. Vulnerability exposure can be minimized by regularly updating computer hardware, operating systems and software. Keeping up-to-date anti-virus software, as well as running regular virus scans, is another requirement to meet this standard if your systems are susceptible to such vulnerabilities.

4.  Implement Strong Access Control Measures

The most exploited breach in security is the human element, which is harder to protect. Part of meeting PCI compliance means limiting access to cardholder data to only those persons that need to use it. In addition to restricting physical access to cardholder information, business owners are also responsible for assigning a unique identification to each person that does have access.

5.  Regularly Monitor and Test Networks

Networks that store cardholder data must be monitored and tested regularly. Regular scans of security measures and processes, and  monitoring and tracking of network access to cardholder data are required to satisfy this standard. Consider signing up for a security testing and auditing service, such as ScanAlert’s Hacker Safe program, which can help you to identify and fix potential security problems as they arise.

6.  Maintain an Information Security Policy

Considering that humans are generally the easiest part of a system to hack, and also that ignorance does not relieve liability, it’s important to draft and implement a company-wide information security policy. Make sure that your employees know and understand their responsibilities with regards to cardholder data before it becomes an issue.

The first step in PCI compliance is to meet the above standards.  Credit card companies and financial institutions validate that vendors are abiding by the regulations, giving them ratings based on their volume of transactions. The rating that a company receives determines the process that they must go through in order to be validated.

Deborah promises to take a closer look at the four validation ratings in the future, and when she does, she will hopefully allow me to share them as well.

==========

To return to the main page of the blog, click here.  To return to the blog  Index, click here.

Posted in Financial Management, Insurance and Risk Management | Comments Off

More on the Apple iPhone 4

June 30th, 2010

Boy I’m sure glad I bought Apple stock before release of the iPad and iPhone 4!  The stainless-steel-and-glass body in the iPhone 4 is just the start . . . there’s the super-high-resolution screen, a 5-megapixel camera, HD video capture, and much more.

For those of you who have interest in the iPhone 4 and haven’t made a move, PCMag.com has provided some additional resources for your researching pleasure.  First is Apple’s iPhone 4: What Buyers Need to KnowIt covers pricing and upgrade options.  Next is a well-produced Video: Hands On with Apple iPhone 4.  It takes just a few minutes to get the feeling of what it would be like to hold the slick product in your own hand.  Next, technical writer / reviewer Lance Ulanoff provides a more balanced viewpoint at Ulanoff: Apple iPhone 4 Razzles and Dazzles.   Finally, we have the article Apple’s iPhone 4 Attracting Big-Name Apps which was somewhat disappointing.  If you’re a gamer you’ll feel differently.  I was hoping by big-name apps they’d be talking about things useful from a business perspective.  Somehow, Guitar Hero doesn’t meet that standard from my perspective . . . oh well!

What holds most people back from thinking about switching to the iPhone is the switch from (for most of you) Verizon to AT&T.  I have to say that I switched from Sprint after many reliable years of service, to AT&T because they had the Blackberry smartphone I wanted.  (The Bold 9000)  AT&T isn’t horrible.  It’s not going to win any awards from my perspective, but it’s not horrible.  Reception has been reliable, although the portable WiFi card doesn’t work as reliably as my old Sprint one did.  but aside from that, no better or worse.  My husband is on Verizon, and there have been a few occasions when his phone found a connection, and mine did not.  He will be gratified to hear me admit it publicly.  Still, the less-than-a-handful of times when he had a connection and I didn’t is just not enough of a difference to keep me from getting the model smartphone I want.

What one still needs to consider seriously are the security issues.  The iPhone still  doesn’t have all the security most IT managers want for devices which link up to networks housing confidential client and firm information.  However, as the customer base continues to include greater number of business users, I have no doubt that software applications will follow.  The question is how long that will take.

==========

To return to the main page of the blog, click here.  To return to the blog  Index, click here.

Posted in Technology, Telephony | Comments Off

Ready to Buy the iPhone 4?

June 17th, 2010

Here’s a great article from CNet News providing all the FAQ about your upgrade options and pricing.  The new iPhone goes on sale June 24th.

I don’t know about you, but the offer of a bigger battery that offers up to seven hours of talk time, six hours of 3G browsing, and 300 hours of standby time is pretty darn compelling. It also comes with a new 5 megapixel camera that can record video in high definition.

Hey, stop jostling and get in line! :-)

==========

To return to the main page of the blog, click here.  To return to the blog  Index, click here.

Posted in Technology, Telephony | Comments Off

Who Uses iPad? Has AT&T’s Security Breach Left Them Vulnerable?

June 11th, 2010

The iPad is sellling like hotcakes.  Despite tepid advance reviews, the techno-users keep gobbling them up.  Sales are strong home and abroad.  But the recent security breach of AT&T’s web site devoted to iPad users, has most users feeling very uneasy.

A recent article in C-Net News regarding the AT&T security breach which exposed data of more than 100,000 iPad users, listed the following noteworthy users:   White House Chief of Staff Rahm Emanuel, journalist Diane Sawyer, New York Mayor Michael Bloomberg, movie producer Harvey Weinstein, New York Times CEO Janet Robinson, officials at the FBI, departments of Defense and Justice, federal courts, and NASA, as well as executives from Google, Microsoft, Amazon, Goldman Sachs, and JP Morgan, among many others. 

As the FBI continues its investigation, and AT&T continues to apologize for the inadvertant security hole, iPad users wonder what their risks are. 

According to the article, they face exposure to external threats in the form of phishing emails and tempting links to phoney sites laden with spyware.  That’s nothing new in today’s world, but you can be sure, with the high profile potential targets identified above, that the best of the worst characters will be employed in the pursuit of creating more serious exploits.  Many iPad users will receive Emails will appear legitimate, in an attempt to compel users to willingly open attachments or click on links.

If you’re an iPad user (or even if not, but have an active email inbox) be extra careful about emails which appear to come from legitimate sources, and include attachments or links.  I’ve provided information previously, in a post entitled “How to Avoid Dangerous Web Sites,” about a web site which enables you to check another web site for malicious code before actually landing on it.   If you want to find out whether or not it is safe to click on a link, you can try testing it at LinkScanner Online. This free service allows you to visit the URL in a controlled environment on their servers.  LinkScanner Online will inspect the site in real-time to determine whether it is hiding any nasty exploit code and, if so, what exploit.

Let’s be careful out there!

==========

To return to the main page of the blog, click here.  To return to the blog  Index, click here.

Posted in Security, Technology | Comments Off

Another Attorney Trust Account Hit By Online Fraud

June 10th, 2010

Wow, I can’t believe it’s been more than two months since I’ve had a chance to post to the blog.  I want to thank those subscribers who wrote to me to inquire whether I was still alive and well, given my online absence.  Yes, I’m fine.  I’ve just been on the road a lot more than usual.

Is it coincidence that the last post concerned a fraud attempt upon an Oregon attorney, and I’m following up with another?  I don’t think so. 

The Florida attorney had her trust account hit for a significant sum.  She was willing to engage in online banking thinking that the several layers of security provided by the bank itself would be sufficient to protect her accounts.  What she did not take into consideration was the very real possibility and threat of scumware (a/k/a spyware) being installed on her computer — coming in hidden in an email — capturing her logon ID and passwords, which the criminals then used to access and make wire transfers out of her trust account.  The actual implementation of the transactions were done surreptitiously through her computer, so that the computer’s ID identification (e.g. IP address) would match that which the bank’s system recognized as legitimate. 

You should read this story which appeared in the June 15, 2010 edition of The Florida Bar News.  If you’re presently doing online banking, it will certainly give you pause.  It will also give  you some food for thought about how to tighten security.  I noticed that the victimized attorney stated she had anti-virus software, but did not acknowledge having anti-spyware software.  And that’s the culprit that breached her security. 

Anti-virus software alone isn’t sufficient protection.  It’s like brushing your teeth but never using dental floss or mouth wash.  Your dentist will tell you that the combination is what provides maximum protection.  Similarly, your firm should utilize a firewall, anti-virus and anti-spyware software, and should keep all up to date.

==========

To return to the main page of the blog, click here.  To return to the blog  Index, click here.

Posted in Financial Management, Insurance and Risk Management, Security | Comments Off

More on Lawyers as Fraud Victims . . . With a Twist

March 20th, 2010

It’s getting harder to keep track of the many frauds which are impacting lawyer practices.   You certainly have to remain vigilant.  I’ve just been informed of a new scheme.

 This fraud alert is just in from Oregon. It seems a fraudster has appropriated an attorney’s name, firm name, phone number, and address and then has debited 3 different bank accounts of individuals in different states with $10 debits purportedly from her.

 The FTC advised the attorney that the $10 charges are test charges to see if the bank account holder is alert. The fraudster then would clean out the bank account of anyone not paying attention. The attorney found out about the charges when she was called by the individuals wanting to know what her debit was for. 

 Since the attorney is not herself a victim of theft, she was told nothing can be done on an official basis to protect herself.  Likewise, the local police cannot assist because the financial victims are out of state.   Of course, the attorney is concerned about damage to her reputation, and the time and expense of dealing with all the issues which may crop up until her identity can be secured once again.

 It seems that taking all the necessary steps to further protect herself from this identity theft is about the only avenue to pursue for this lawyer.  At least thus far.  For some excellent information on how to deal with identity theft, check out the information on the web site of the FTC.

==========

To return to the main page of the blog, click here.  To return to the blog  Index, click here.

Posted in Financial Management, Insurance and Risk Management | Comments Off

Only 16 Days Until the HITECH Act Goes into Effect

February 1st, 2010

As promised, attorney Jennifer A. Stiller has posted her detailed blog post regarding the new “Health Information Technology for Economic and Clinical Health Act” – or “HITECH Act.”  You can read all the details here.

 

The new legal requirements apply to impacted firms effective February 17, 2010.  Chances are, if you represent doctors, hospitals, health insurance companies, and any other person or entity that is considered a “covered entity” under the HIPAA patient privacy rules, this applies to you.

 

==========

 

To return to the main page of the blog, click here.  To return to the blog  Index, click here.

 

Posted in Insurance and Risk Management, Records Management and Retention | Comments Off

The Scary World of Penalties and Enforcement Under the New HIPAA-HITECH Law

January 25th, 2010

This is the second guest post by health care attorney Jennifer A. Stiller.  My gratitude to Jenny for providing this additional information.  She will be posting a detailed follow-up article on this topic on her own web site.  I encourage you to read it.

 

On January 22, I wrote about the new HITECH Act, which as of February 17th  will make HIPAA business associates – such as law firms that represent healthcare clients – directly subject to federal penalties if they fail to meet certain obligations with regard to implementing safeguards to keep their clients’ patient information secure when stored or transmitted electronically.

 

And we should care because…?

 

In addition to expanding HIPAA obligations, the HITECH Act (known to the cognoscenti as “HIPAA on Steroids”) substantially increases enforcement penalties and activities.  Previously, there was no affirmative government enforcement of the HIPAA patient-privacy requirements – only the ability of the Department of Health & Human Services’ Office of Civil Rights (OCR) to investigate complaints. If a complaint revealed a violation, fines were limited to $100 per incident, with a maximum annual total of $25,000 for violations of the same requirement. Under HITECH –

 

·         Civil money penalties increased to as much as $50,000 per violation, up to $1.5 million per year.

·         Starting February 17, 2011, OCR is required to impose civil penalties if a violation is due to “willful neglect.”

·         OCR will keep the penalties, to be plowed back into enforcement activities.

·         OCR is directed to conduct periodic audits of covered entities and business associates to evaluate HIPAA compliance.

 

·         State attorneys general are granted authority to bring civil actions to enforce HIPAA.

·         The Government Accountability Office is directed to prepare a report by August 17, 2012 recommending a methodology by which affected individuals can share in penalties collected for HIPAA violations. Once implemented, this will increase individuals’ incentives to file privacy and security complaints, similar to the effect of the False Claims Act’s “whistle-blower” provisions.

 

Next week, I’ll publish a full article on my website explaining the duties the HITECH law imposes on business associates, effective February 17, 2010.  My appreciation to Ellen Freedman for providing me with an ability to use this forum to get the word out.

 

==========

 

To return to the main page of the blog, click here.  To return to the blog  Index, click here.

Posted in Insurance and Risk Management, Records Management and Retention | Comments Off

New Duties to Protect Health Care Privacy Take Effect February 17, 2010

January 22nd, 2010

This is a guest post which was prepared by health care attorney Jennifer A. Stiller.  Thank you, Jenny, for taking the time to provide this information.  We are fortunate in that Jenny has agreed to provide another post, which will appear in another day or two.

 

Attorneys who represent doctors, hospitals, health insurance companies, and the like face new statutory obligations to take affirmative steps to ensure the privacy of their clients’ patient information when it is transmitted or stored electronically.  The new requirements, enacted as the “HITECH Act” portion of last year’s economic stimulus legislation, go into effect February 17, 2010.

 

Technically, many attorneys have already had such obligations under a “business associate” agreement with their healthcare industry clients, most of whom are “covered entities” under the HIPAA patient privacy regulations and as such, are required to enter into such an agreement with any non-employee who “provides … legal … services to or for such covered entity where the provision of the services involves disclosure of individually identifiable health information…” 45 C.F.R. § 160.103. 

 

But come February 17, there’s a new twist.  Whereas previously, if the law firm did not live up to its contractual obligations concerning how patient information was to be handled, the worst thing it would face would be being fired by its client and possibly a suit for breach of contract.  As of February 17, however, the law firm is directly liable to the federal government for having inadequate safeguards in place (regardless of whether private information is in fact compromised) – and the penalties for non-compliance can be stiff.

 

==========

 

To return to the main page of the blog, click here.  To return to the blog  Index, click here.

Posted in Insurance and Risk Management, Records Management and Retention | Comments Off

Windows 7

January 17th, 2010

I continue to read good things about Windows 7  in the various sources I trust.  Incompatibility issues with hardware and legacy software are minimal.  If you want some really detailed information I suggest you read this software review  from PCMag.com.  All-in-all, I think it’s now safe to upgrade to Windows 7 at your office.

==========

 

To return to the main page of the blog, click here.  To return to the blog  Index, click here.

Posted in Software | Comments Off

« Older Entries