By Michael Boldiston
Security within the ProMaster application is something that we take very seriously at Inlogik. We have made many alterations to the software and to our hosting infrastructure, but there is one area of the product's usage over which we have little control - end-user compliance!
Inlogik promote secure behaviour amongst our user base, but that does not always translate to secure actions being taken. For example:
An e-mail received from an Enterprise Controller as follows, "I have a new user who I've added to ProMaster, and there are no transactions coming through. He assures me he's been using his card, his card number is 4343 5454 6565 7676. Please let me know what I'm doing wrong?"
As it turned out, the card number had been entered incorrectly in the above case, but the obvious problem with the above e-mail is sending through a full card number! It is absolutely imperative that we never receive and un-masked card number via e-mail.
By masking, we mean making it unusable to anyone who might intercept it - and there are recorded instances in the business world of that happening. All you need to do is 'asterisk out' the middle 6 digits, so it becomes 4343 54** **** 7676. This means that we can still use the card for identification purposes, but it is now secure and cannot be used to purchase anything.
Another important thing that you, our Enterprise Controllers, can do is to educate your end-users in how they use the program. One critical area is in attaching files to ProMaster. If you require scanned receipt attachment to ProMaster, your users must not attach files containing an un-masked card number. Most receipts from merchants already have the numbers masked, but if not, then a quick bit of black pen prior to scanning is all that is required. Similarly, if your users are uploading plain text files for receipts (and they really shouldn't be anyway, because it's not good 'evidence' if they could have changed it themselves!), they should mask out the card number in the file before attaching it.
It is important to understand how critical these behavioural changes are to both our PCI-DSS accreditation and in turn the security of your data. We understand that even the best education can still fall short, so in some cases, we will take the matter into our own hands. How? Well, nothing too drastic, because no files should ever fall into this category, but as of the v8.0 rollout the following rule will be applied to ALL hosted clients:
RULE #1: ANY FILE UPLOADED TO PROMASTER CONTAINING UN-MASKED CARD NUMBERS WILL BE DELETED, WITHOUT FURTHER NOTICE, WITHIN 24 HOURS OF ITS ARRIVAL ON THE SERVERS BY OUR SECURITY SCANNING SOFTWARE.
Some clients do generate reports (including some exports) that contain full card numbers in them. These are slightly different, because there will almost always be a legitimate reason to do this, but we still need to protect you and your cardholders by minimising the length of time these files exist on the servers for you/your users to retrieve. So a second rule will apply:
RULE #2: ANY FILE GENERATED FROM PROMASTER (INCLUDING REPORTS AND EXPORTS) CONTAINING UN-MASKED CARD NUMBERS WILL BE DELETED, WITHOUT FURTHER NOTICE, WITHIN 24 HOURS OF ITS CREATION ON THE SERVERS BY OUR SECURITY SCANNING SOFTWARE.
This may all sound a bit harsh, but according to the PCI-DSS standard, (read more here: https://www.pcisecuritystandards.org), Inlogik simply cannot allow anything to compromise the secure storage of card data on our servers - even our clients themselves.