Data Security? I Thought I Was in the Parking Business
By Grant Dawson and Carol Pferrer
Security in your parking operation is now much more than a camera or gate. Keeping your garages and lots secure has moved beyond the lock-and-key approach that once reduced theft and increased security to an ever-changing, very technical challenge of “data security.”
Knowing what data security means and taking a proactive approach can save your parking organization from mistakes that could ultimately be very costly or result in preventable litigation, among other negative consequences.
What does data security in parking really mean?
Top 5 Answers
1. Thinking “outside the gate” and “outside the garage.”
In years past, a chief concern in parking was restricting physical access into gated facilities and revenue control equipment containing cash. While physical security is always an important consideration in protecting your customers, parking operations have now been tasked with taking security precautions not only with who is “getting into” your parking facility, but also with who is “getting into” your data.
2. Embracing technology.
Traditional parking access and revenue control systems (PARCS) are very hardware-driven. As you look at new technologies available today, also be sure to evaluate how quickly and efficiently you can find data, analyze them and turn them into information to make quick operational decisions. Ultimately, your goal is to streamline your operation, not add additional sub-systems, integrations or multiple sources of data.
3. Staying on top of compliance.
Many robberies today, throughout financial institutions and many other types of businesses including parking, are no longer a physical “hold up” by a robber with a gun. Messy data security practices can lead to unwanted access to customer data.
The payment card industry data security standards (PCI DSS) (at www.pcisecuritystandards.org) have been established to protect your customers’ sensitive payment card information from security breaches and data theft. Though compliance is an ongoing effort (not a one-time event), it may not be the headache you anticipate, and compliance provides multiple data security benefits to the parking operation.
4. Using all your options.
Take a close look at how your operation currently utilizes technology – and whether you are taking all the precautionary steps to ensure data security. Furthermore, do your research. Avoid investing in technologies that offer a lot of “bells and whistles” without providing real value.
Servers and PCs, for example, are areas that more and more parking operations are outsourcing to alleviate the headaches of credit card data security. Achieving PCI DSS compliance is extremely time-consuming and costly.
By allowing an organization that has reached PCI-DSS Level 1 compliance to host your parking applications, you reduce your workload and the resources needed to achieve total protection of customer data.
5. Providing peace of mind – for you and your customers.
Efficient parking organizations are not easy to build. The success of your operation has not come easy. You can help ensure continued success by securing your customers’ payment card information. With every transaction, your customers are depending on your business to keep their payment data safe – repay their trust by complying with the PCI data security standards.
How to achieve data security?
Top 5 Answers
Once you decide to embrace technology, there’s often a misconception that technology opens your environment to more variables that can lead to security breaches – which in turn leads to loss of revenue and customer confidence.
The argument becomes something along the lines of: “If I allow my business to use credit cards electronically or if I implement an electronic system for my data, then I’m opening myself up to the challenges of preventing credit card theft or data breaches … and that’s not something I’m equipped to handle.”
While the theoretical risk might increase, the reality remains that most data breaches and electronic credit card theft occur not in the advanced attacks and threats of the cyber underground elite, but more from the lack of policy and procedures around protecting your largest asset – your customers’ data.
Consider five simple items to protect your data and maintain customer confidence:
1. Develop policies concerning credit card and customer data that match your business with common sense.
For example, while it may be “quicker and more convenient” to record a copy of a customer’s credit card information in a file or a spreadsheet so you can bill or charge it in the future, ultimately your staff is creating a liability for you and your customer by storing this information. Technology can solve this problem with secure recurring credit card systems and hosted payment gateways, which afford you the same functionality with a fraction of the risk.
2. Utilize compliance-related tools to ensure that data are secure.
It’s easy for us to look at compliance as a hindrance to our business practices. The reality is that most compliance was written to help you have a litmus test to the security of your data. Such items as “internal penetration” testing and regular network scans can help you audit and gain visibility into the legitimacy of your technology provider and services. Often, on the first pass, even the strongest IT departments learn where their weakest points lie with compliance-enforced tests of their technology.
3. Don’t go at it alone.
Once you’ve established a baseline for compliance and have developed policies to address the mistakes that lead to breaches, you need to ramp up your environmental awareness and stay on top of technology. That’s not always easy when your main line of business is providing parking services.
Engage with vendors who don’t view security and compliance as afterthoughts, and you’ll reap the rewards of their experience and expertise so you can focus on what you do best.
Look for PCI-DSS compliant vendors. Ask questions about your vendor’s security policy, its plans for possible breaches and what it does to help protect your customers’ assets.
4. Document your business activity.
There’s a theory that security analysts hold that even the best security in the world could still result in a breach. To protect your business and your name, the best line of defense is to audit your processes and transactions regularly.
While your focus may not be technology, you know your business and when something seems “different.” By auditing and logging your process and changes to your business, you hold your business accountable and provide an audit trail should you ever need to trace a transaction.
Many technology vendors in the parking industry provide ways to customize reports that give you analytical data into the day-to-day workings of your business. Look for occurrences such as strange log-in times, multiple transactions that don’t match the books, and anything that just seems out of the ordinary. Your business intuition will often serve you well.
5. Establish lines of responsibility with your partners and service providers.
It’s important to clearly understand when data security is in your hands, and when it’s in the hands of your technology provider. Open up with clear dialogue and ask important questions such as, “Where is my customer’s data held? How do I create and assign users? How is the information transmitted? Is this piece of equipment something I manage or do you manage it?” Understanding the answers to those questions upfront can save you from a surprise later.
When adopting data security practices, think about what it really means to your parking organization. Taking a proactive, rather than reactive, approach will pay off tremendously long-term.
In addition, rely on your vendors and business partnerships to help share the burden of customer and data security. Today’s providers offer solutions and services that will make you sleep better at night knowing that you’ve implemented a solution that keeps you and your customers safe.
Grant Dawson, IT Network and Systems Analyst at T2 Systems, and Carol Pferrer, its Product Manager, can be reached through www.t2systems.com.
Article Abstract from March, 2012