This page contains a Flash digital edition of a book.
» Canadian Forum


SAFE? A


Is Your Membership Financial Information


likely require the assistance of a computer professional to complete


Follow these steps to ensure that your confidential information remains confidential. BY BRUCE TOMPKINS


s you likely know, comput- er hacking is very prevalent these days. Companies like Sony, Citibank, Sega, T.J. Maxx,


7-Eleven, iTunes and even the U.S. Federal Reserve are among those that have recent- ly had their financial systems hacked, and the information at risk included personal information and credit card numbers. So with these large corporations’ sophis-


ticated computer operations being com- promised, how can you be absolutely sure that you’re protecting your members’ con- fidential financial information at your own club? Do you even know what you should be


doing to protect this information? And what financial risks are you fac-


ing in the event that your members’ cred- it card and bank account information is stolen?


PCI Security Standards Council To help reduce the risk of exposure to


financial data fraud, the major credit card companies in the U.S. have created an or- ganization that provides data security guidelines. The Payment Card Industry (PCI) Security Standards Council was cre- ated in 2006 to develop, manage and edu- cate businesses in Data Security Standards (DSS). These security standards cover use of computer software (both locally in- stalled Windows and web-based systems) and provide business rules to help protect access to sensitive financial information. Although you may not have heard


of these security standards, your busi- ness is required and enforced by a group called the Card Associations whose mem- bers include American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International.


The security requirements The PCI data security standards are a detailed set of rules to help businesses


62 Fitness Business Canada September/October 2011


maintain secure networks, websites and software programs that store financial data. Large and small businesses alike are


required to use software that is PCI DSS- compliant. They must also restrict staff member access to financial data (e.g., credit card numbers), have unique staff- member logins for each financial sys- tem, restrict credit card access to only those staff members who require access, regularly update anti-virus software, have a firewall and router, and keep hard-copy credit card information in a secure location.


Assess your software If you currently use a Windows pro-


gram or a web-based system (hosted by a third party service provider or a finan- cial institution) for membership billing, ask if their software complies with the PCI data security standards. If it doesn’t and it isn’t planning on implementing these standards soon, you may want to consider switching to another company. According to the PCI standards, soft-


ware programs should have the follow- ing features: the ability to login with a username and password; passwords that are at least seven characters long and include both characters and num- bers; passwords that are changed every 90 days; financial data that is encrypt- ed; and the requirement that users log- in again when the system is idle for 15 minutes or longer. If your software doesn’t have all of


these security features (plus others), your program is not PCI DSS-compliant.


Determine your level of security The PCI Security Standards Council


provides a self-assessment question- naire to help businesses determine their level of security. Most companies will


the questionnaire. You may also be re- quired to provide the questionnaire to your bank in the case of credit card fraud.


What if your system is hacked? If you suspect that your mem-


bers’ credit card data has been sto- len or compromised, you should first limit the exposure of cardholder data (by disconnecting your PCs from the Internet, for example). Then you must contact the credit card companies and the police. Your credit card companies may re-


quire you to produce proof of compli- ance with the PCI standards and may also hire (at your expense) a forensic investigator to review your business processes and ascertain how the data was stolen. If you are not compliant, you could be liable for lawsuits, insur- ance claims, payment card issuer fines and government fines.


What now? Start by downloading the PCI Data


Security Standards quick reference guide (www.PCIsecuritystandards.org) and its self-assessment questionnaire which applies to most fitness clubs. Review the standards with your soft- ware vendor to determine if its product is or will soon be compliant. You should also discuss these se-


curity standards with your financial institution or service provider; it may ask you to file the questionnaire and provide a plan to remediate any areas that are required for compliance. (The PCI Security Standards Council main- tains a list of qualified security asses- sors on its website.) With a little ef- fort on your part now you can protect your business from a potential finan- cial crisis. FBC


Bruce Tompkins is president of Calgary-based Spirit of Computing Ltd. and has been involved in soſtware development since 1980. He is the creator of Fitness Club Manager, a Windows- based club management solution for fitness clubs that complies with the PCI Data Security Standards. Contact him at 403-399-3871 or bruce.tompkins@spiritofcomputing.com. For more information on Fitness Club Manager, vis- it www.spiritofcomputing.com.


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52  |  Page 53  |  Page 54  |  Page 55  |  Page 56  |  Page 57  |  Page 58  |  Page 59  |  Page 60  |  Page 61  |  Page 62  |  Page 63  |  Page 64