When you see our name, you might think CarriersEdge is strictly a company that provides driver-training tools and insights on HR best practices. In reality, we’re a technology company. We have to be in order to be secure for our fleet customers. We can’t have data breaches or be a weak link when it comes to IT security.
Several weeks ago, there was another large and public breach of private information involving Capital One. Nearly 100 million people in the United States and 6 million in Canada were affected. Earlier it was Target, LinkedIn and Equifax – just to name others. CBC suggested that at this point we’ve all been hacked and our data is out there whether we like it or not.
Every time a data breach happens, people are shocked, wondering why it continues to happen. Yet those same people are often the ones perpetrating the behavior that makes this kind of breach not only possible, but easy.
All industries struggle with this, and transportation is no different.
Over the course of a week, more than five different organizations asked me to send credit card details through email. This is a massively insecure practice that's also a direct violation of the Payment Card Industry Data Security Standards (PCI DSS). The PCI DSS outlines all the things that an organization accepting credit cards has to keep those cards safe. If an organization is setup to receive payments by credit card, they're required to follow these standards, which change regularly as business and technology evolves. One part of the standard that's been consistent since the beginning is the basic rule that card information is never sent through unsecured networks.
In other words, every one of these organizations asking me to send credit card data by email is violating the terms of their card processing agreements. When this happens, I get on the phone and point out to them that they're not supposed to be asking for this information. It seems I always get the same answers from the front line staff I'm dealing with: “This is how we’ve always done it”, “No one else has complained” or “What other options are there?”
That’s the crux of the problem. Those responses demonstrate a huge gap between what the organizations are supposed to be doing (and what they're probably telling the card processors they are doing) and what's actually happening in their daily operations. That gap, and the giant lack of knowledge that it represents, helps explain why it keeps happening
A "Hack" That Isn't A Hack
I think that even calling them hacks is unfair. So far, data thieves haven’t had to work very hard to break into the networks and collect the data that's lying around. If you look at what actually happened with all of the public debacles, you’d see that it hasn't been secure, encrypted data that’s been compromised. It’s always been bad data management, private info stored in plain text and terrible internal processes. They're just exploiting known bugs in existing software.
Sending sensitive info through unencrypted email is just as careless as it travels through a variety of systems en route from sender to receiver. Since you can’t control those intermediary systems, you have to assume they’re not safe.
There are some organizations where the staff is so poorly trained that they don't know they shouldn't be asking for card info by email. The data handling processes are so bad that they don't have a better option readily available, and their internal controls are so weak that the presence of card data collected through email hasn't raised any red flags. That really makes me wonder what they're going to do with my card info once they get it.
I can call in and give the details directly to a company rep, but there's a good chance they’re writing it down on paper somewhere and leaving it lying around. Even if they enter it directly into their system, it may not be much better. If the data is stored unencrypted, it's no safer in their database. Having everything stored in a badly designed database might actually increase the risk. If it's all in one place - an unencrypted, easy to copy file - it's ripe for someone to steal and sell on the dark web.
As an organization that stores credit card data and ensures it’s handled securely at all times, this drives me crazy. We've invested significant effort in designing encryption processes, we go through regular third-party reviews, have monthly vulnerability scans, and train front line staff on the rules and best practices of secure data management. So, when I see all these other companies being so lax with their processes, it's highly infuriating.
Staying Positive – How to Protect Yourself
Now that I have you justifiably rattled, are there things you can do to protect yourself and your company?
Here are three simple things to remember, and it would be wise to share them with anyone in your organization that makes purchases on your company’s behalf:
- Never send any sensitive info through external email. Sending from one user to another within your company may be okay, but don’t send it to an outside user, or vice versa. (Sensitive info includes credit card details and any other data that could be used for identity theft, like driver’s license and SSN/SIN). If someone asks you to send card info through email, DON’T DO IT. Pay through some kind of secure payment processing system, direct deposit (ACH or EFT for corporate, email money transfer for personal), or call them and provide the card info over the phone (which, as noted above, may only be marginally better). Some credit cards allow you to create a temporary card number for a specific purpose, and that’s great as well.
- Don’t save your credit card details on a site that isn’t trustworthy. Entering card info when making a secure purchase is pretty common, but it's not always a good idea to save the card info into your account for later use. Everyone offers that option, but it's rarely a good idea to use it. If the vendor is in a space not known for internet security (e.g. hotels, brick and mortar retailers) it's particularly risky. Vendors in the cloud hosting business, like Amazon, Microsoft, and similar companies that are highly focused on encrypting and securing data, are less likely to be sloppy with it so they're generally safer. That's a small group, though, so you have to be very careful.
- Don’t even enter any private info into an unsecure web form. That’s a simple one - watch for the little lock icon in the browser address bar and don't enter anything sensitive if you don't see that. On today's web, however, even the lock icon indicating a secure connection is just barely sufficient. Any serious ecommerce site should have the green lock icon, indicating enhanced protection and security. Of course, if your browser warns you about the site, or says there's a problem with the certificate, then definitely avoid entering private info.
And of course, if you’re part of a company or organization with people who routinely requests card data to be sent via email, here are three words to tell your staff. STOP DOING THAT! We’ll all be better off when security is top of mind, and Data Security Standards are followed.