Is Your System Secure?
What to watch in safeguarding your customers’ personal information

As identity theft continues to plague consumers, making some wary of using their credit cards, independent garden centers are taking a closer look at the POS security and guidelines established by the Cardholder Information Security Program (CISP).

Mandated in June 2001, CISP was designed to protect consumers’ bankcard data when presented at a POS, over the Internet or on the phone. The program outlines the highest information security standards for members, merchants and service providers.

In 2004, CISP requirements were integrated into a standard known as the Payment Card Industry (PCI) Data Security Standard as a cooperative effort between Visa and MasterCard. On Sept. 7, 2006, it was announced that the PCI Security Standards Council (PCI SSC) would effectively own, maintain and distribute the PCI Data Security Standards.

For retailers, the PCI Data Security Standard consists of 12 basic requirements: Build and Maintain a Secure Network - 1. Install and maintain a firewall configuration to protect data, 2. Do not use vendor-supplied defaults for system passwords and other security parameters; Protect Cardholder Data - 3. Protect stored data, 4. Encrypt transmission of cardholder data and sensitive information across public networks; Maintain a vulnerability management program - 5. Use and regularly update antivirus software, 6. Develop and maintain secure systems and applications; Implement strong access control measures - 7. Restrict access to data by business need-to-know, 8. Assign a unique ID to each person with computer access; Regularly monitor and test networks - 9. Restrict physical access to cardholder data, 10. Track and monitor all access to network resources and cardholder data; and Maintain an information security policy - 11. Regularly test security systems and processes, 12. Maintain a policy that addresses information security.

Compliance with these 12 items is serious. If negligent, your garden center could be held accountable for any data stolen from your business. Losses or fines due to fraudulent use can be collected by the credit card company and the bank issuer.

Valley View’s Extra Steps
So what are IGCs doing to meet the CISP guidelines? Matt Thierer, Garden Shop Manager of Valley View Farms Garden Center & Nursery in Cockeysville, MD, says Radiant Systems’ CounterPoint POS system makes the process easier. The leading independent, ranked No. 40 in Nursery Retailer’s IGC 100 report with $12 million in sales, has been in compliance for more than two years.

CounterPoint’s CISP-compliant security provides for the following:

• Password security settings support CISP-compliant password policies.
• All passwords and credit card numbers are encrypted.
• Full credit card numbers are not displayed or printed, and all card numbers are masked to display only the first six and the last four digits.
• Magnetic strip track data is not retained in the database.
• CVV2/CVC2/CID data (i.e., verification numbers printed on each card) is not retained.
• Retention of full credit card numbers in history is optional. Full card numbers retained in the history are encrypted.

Valley View takes security measures an extra step, enclosing all of its register components, computer, receipt printer, touch screen, two cash drawers, keyboard, scanner and mouse in wooden cabinets for added protection. The only access is through a small hole where the computer’s power button is located.

There are only two individuals of 130 staff members at the garden center who have security clearance to look up bankcard numbers when needed. Thierer maintains the ability to access the full credit card number because it allows him to offer better service without inconveniencing the customer. By pulling up a transaction number, he can view the live data and issue a credit without having to trouble a customer for her card. As an added security measure, the system keeps track of every time this feature is used.

McDonald’s Secure Connection
McDonald Garden Center, ranked No. 33 in the IGC 100 with $14.9 million in sales from locations in Chesapeake, Hampton and Virginia Beach, VA, utilizes its Activant Solutions Eagle POS system to meet data security measures. Integrated into the Eagle system, high-speed credit card authorization is provided by a third party, ProtoBase.

A secure virtual private network connection between the Activant system and the ProtoBase server ensure that the customer’s credit card information is safe as it travels over the Internet. Each bankcard purchase prompts the salesperson to authorize the credit card transaction immediately, further reducing the chance for credit card theft or fraud.

ProtoBase masks all of the credit card numbers except the last four digits, both on the receipt and in the POS system. Two individuals at the garden center have advanced security within the Activant Eagle system to view the full credit card number, with proper identification and authorization when needed.

One of the IGC’s stores also utilizes “signature capture” at four of its eight registers. This eliminates the need to store paperwork while allowing the retailer to meet legal responsibilities and keep signed invoices electronically.
In addition, McDonald has changed all of the preset passwords provided by Activant for its POS system as recommended by PCI SSC.

Garden Corner’s Safeguards
John Karsseboom, Owner of The Garden Corner, is another IGC retailer who takes credit card security seriously. The Tualatin, OR-based operation uses an SBI Nursery Software POS system, which encrypts bankcard numbers via a third party, GO PCCharge.

Transactions are started in the POS system immediately when any type of purchase takes place. Because the computer system stores no credit card information, customer returns can be more challenging. However, Karsseboom finds this to be a minor inconvenience in comparison with the security that comes from it. The Garden Corner can pull up a transaction from the POS for a return and reveal the last four digits of the bankcard, at which time the customer must present the card for reimbursement.

While IGCs continue to face challenges in securing information for special situations, such as COD orders and landscape jobs, the focus on maintaining the security of customers’ personal data needs to be top priority. Although many POS systems provide security safeguards, IGCs must also make sure their business practices are in line with the 12 basic requirements set forth by the PCI SSC. CISP Compliance is the standard we can’t afford to put off.