PCI Compliance

[CarBuff's]

Hello Fellow Carwasher's

Been lurking on this site for quite some time and thank you for the solid business insight many of you have shared.

I wanted to reach out and ask what steps you are taking to maintain PCI Compliance and secure your customers credit card information. In 2014 we did experience a data breach and I have to say... it ranked right up there with one of the worst business experiences I have endured.

Are any of you utilizing a third party computer security company to provide quarterly scans and assist in the PCI Compliance process? Have you taken out insurance policies to cover any data breaches?

Any input is much appreciated!

 

[Overachiever]

What was taken in the data breach? Full credit card numbers? How did they get the data?

My payment processor had some sort of noncompliance insurance for like $8.00 a month but I'd maybe change the way you handle credit cards so you don't need to store those credit card numbers at all or store them on a computer not accessible to the internet.

 

[Washmee]

This is who I use. Trustwave PCI Compliance

https://www.trustwave.com/Services/Compliance-and-Risk/PCI-Services/

 

[CarBuff's]

What was taken in the data breach? Full credit card numbers? How did they get the data?

My payment processor had some sort of noncompliance insurance for like $8.00 a month but I'd maybe change the way you handle credit cards so you don't need to store those credit card numbers at all or store them on a computer not accessible to the internet.

Unfortunately, the full card numbers were taken and fraud was committed outside the U.S. Access was gained through an authorized third party support company.

We were not storing credit card information on sight and the card numbers were tokenized but, the malware was able to grab the card information the second the card was swiped. Our processor offers 100k of insurance for about $100 per year, the best $100 I ever spent. Unfortunately, at today's breach costs of $180 per exposure $100,000 is a drop in the bucket.

 

[CarBuff's]

Thank you Jon!! Do they come onsite or is everything managed over the Internet?

 

[Randy]

I’d be concerned with whose equipment I’m using. Whose equipment are you using? Who is the authorized third party support company?

 

[CarBuff's]

I’d be concerned with whose equipment I’m using. Whose equipment are you using? Who is the authorized third party support company?

Randy, my intention is not to point fingers.

 

[soapy]

CarBuff are you using the credit cards for monthly unlimited washes at a tunnel that get billed monthly? I know of another car wash company that recently was hacked that does this. The system was hacked a couple of processors above it so they ended up without having to pay penalties but I am sure the damage to the business still exists in the minds of its customers.

 

[Washmee]

Thank you John!! Do they come onsite or is everything managed over the Internet?

I use DRB Sitewatch and they work in partnership with Trustwave.

 

[CarBuff's]

CarBuff are you using the credit cards for monthly unlimited washes at a tunnel that get billed monthly? I know of another car wash company that recently was hacked that does this. The system was hacked a couple of processors above it so they ended up without having to pay penalties but I am sure the damage to the business still exists in the minds of its customers.

We are not using any unlimited plans with automatic recharges, just a typical full service wash, lube and detail shop. We were very lucky that we had no penalties, and did not take any hit on sales but... I am very concerned that this never happens again.

 

[CarBuff's]

I use DRB Sitewatch and they work in partnership with Trustwave.

The Trustwave site looks like they know what there doing.

 

[robert roman]

Although my business is different than carwash, I learned quite a lot on how to protect my business by visiting the PCI Security Standards Council's website.

 

[soapy]

Tsys uses trustwave for Pci compliance and have been very easy to work with.

 

[CarBuff's]

Tsys uses trustwave for Pci compliance and have been very easy to work with.

Thanks Soapy, we will be checking Trustwave out as a secondary compliance safety net.

 

[CarBuff's]

Although my business is different than carwash, I learned quite a lot on how to protect my business by visiting the PCI Security Standards Council's website.

Thank you Robert, it's a whole new ballgame out there today.

 

[Washmee]

*Update*
I took a few weeks, but my wash is now 100% PCI compliant. Working with Trustwave I found that I needed to buy a new router and readjust my firewall settings. I also had to flash a newer version of software onto my wireless access points. They now scan my system every month and I get a status report. I still don't have any readers that read the new embedded chips in cards but neither do about 80% off all retailers.