NPA - National Pawnbrokers Association RECAP
2015
OFFICIAL VISIT FROM THE PRESIDENT OF NPA, LARRY, AND SECRETARY
OF NPA, TIM, HIGHLIGHTS PAWNBROKERS AND THEIR CUSTOMERS DATA SECURITY.
What a joy to see the leadership of NPA stop by Bravo Pawn
Systems to discuss with me Customer Data and ATF Cloud Data requirements. Customer privacy is a number one priority
today for all businesses. I have been blogging for the last 4 years
about data security and the fiduciary responsibility Pawnbrokers assume when
conducting a loan transaction. Negligence
not using best business practices to protect customers’ data today could cost
you your pawn business.
As the United States Government Human Resource center lost
22 million U.S. Government Employee records last month, the Head of the
Department, Ms. Archuleta stepped down this week. By the way, the data was not in the Cloud, it
was on premise. Nearly all of data
breaches today are on premise. Nearly
all data catastrophes and breaches are onsite and are employee related physical
breaches. These onsite servers and internal networks designed in the 70’s thru
the 90’s were designed before the Internet.
Bottom line, the business owner is becoming more financially
liable each day as data simply becomes valuable and worth stealing.
Pawnbrokers, who acquire personal information from customers,
are responsible for protecting customer information. You have a legal responsibility. You have a fiduciary responsibility. Read more: Gramm-Leach-Bliley
Act – Click here.
All
businesses today are responsible for their customers’ data.
Those of
you that don’t use systems to transact, have the most risk.
The all paper
pawnbrokers. The common method to
protect your customer’s identity is to Shred every piece of the paper after the
various required holding periods. Best
practice also suggests shredding all trash.
You are required to protect any customer information in a protected
environment. All ATF records must be
stored in a safe, protected environment for the life of your business. The ATF licensee has a fiduciary and legal responsibility
to protect the government records. Make
sure you keep up with the latest ATF requirements on how and where to store
these records.
Those of
you that use in-store servers with the most commonly used Pawn Software
available today are not encrypted and not protected.
Pawnbrokers that use server based systems have a fiduciary
and legal responsibility in protecting your customer’s data. This old legacy infrastructure was not
designed for the Internet and today’s cyber criminals. You are responsible and financially liable. Any Pawnbroker that is using the internet on
any of their terminals is exposing customer data through the in-store network.
Most of you backing up your data are not encrypted. It is imperative to be knowledgeable about what
physical location your data is being stored, how it is encrypted, and whether
it is located in the United States.
This also includes the protection of your physical computer
server. Again, like paper with customer
data, your server is required to be in a locked, secured, and environmentally
protected environment. You are required to keep up with data center best practices
to protect your customer data.
On a technical note.
You are required to protect your servers from outside intrusion. Meaning firewalls, data encryption, software
intrusion protection. This should be
maintained at least quarterly. A
qualified SA, Systems Analyst, can be utilized to put together a plan for you.
In the old days, 5 years ago, most business were solely
focused on their systems performing business requirements to run their business
reliably. Today’s focus must be the protection
of your customer data.
Data Center
– What are they? Why should you
consider?
Data Centers have been around for 40 years. Today’s data facilities offer the space and
expertise needed to comply and accommodate today’s businesses that use
computers to run their business. They
simply became useful and popular because businesses needed a place to put their
computers in an environmentally controlled environment. This was a warehouse with power,
air-conditioning, and supported a dry fire retardant system. Building these environments on premise became
very specialized and required specialized personnel. Computer systems, networks,
and internet service continue to change so fast that housing requirements for
all of these were becoming more and more important and hard to keep up on. A whole new industry evolved and now most
companies host and locate their servers in a NAP.
A NAP is security rated by an industry term
called Tier 1, Tier2, Tier 3, and Tier 4.
Tier 4 facilities are the most secure Data Centers in the World and only
4 exist today. One of these four is
located in Las Vegas – the SUPERNAP – click here.
Sticking your server under a counter, back room shelf or in
a closet is considered negligent today.
Today’s businesses are expected to protect their hardware using this
best practice. I have also seen that if
you look at the fine print of your business insurance policies, this provision
is being expanded.
Then the Internet came around and created a new
paradigm. The Cloud.
Cloud - Computing
and Data Storage.
Cloud Storage and Computing.
What is it? Is Cloud Computing
different than Cloud Storage? Where is
the data? What is the Public Cloud? What is the Private Cloud? What is Napster? What is the server in your store? Could your computer server in your store be a
Cloud? What is data encryption? Do all computers systems encrypt data?
The Cloud.
Do you remember Napster? It was a music sharing
service. If you signed up and put your
music on your computer, others could get to it, and you could get to
others. Millions of people signed up as
the perfect cloud storage network was formed.
You requested a music download and somewhere on someone’s computer a
song would down load to your computer from anywhere. This spawned an inter connectivity computing
and data storage revolution along with the Internet. From this the Public Cloud was
formed.
Public
Cloud.
Most people believe this is “The Cloud”. This is a bunch of computers and storage
devices that may interconnected everywhere or could be just one location. Essentially anyone can borrow computing power
or storage from a data center or someone’s computer, anywhere in the
world. In order to use a Public Cloud
you could be just one tenant to use a facility, or you could be one of millions
of tenants using the facility. Any type
of business can use these shared services.
One company’s Public Cloud service often utilizes other Public Clouds
services. These are commonly called
shared services. The underlying
connectivity of these services play an important role as well.
Most U.S. Public Corporations do not use the Public Cloud.
Private
Cloud.
Most Pubic Corporations use the Private Cloud. Private Clouds are generally a specific
physical data center location and may be connected to other specific data
center locations. These data centers are
generally located in a NAP. But many can
be located at any type of location, even your home. Only specific users can utilize the computing
resources and storage of a Private Cloud.
The private cloud is a highly controlled environment not
open for public consumption. Thus, a private cloud sits behind a firewall. The
private cloud is highly automated with a focus on governance, security, and
compliance.
At this year’s NPA convention I heard that some Pawnbrokers
are using one single server in one of their stores for a number of their other
store locations. This is technically a
Private Cloud. By the way, the new ATF
Cloud regulations apply to those that are using this method.
Hybrid Cloud.1
Combining public services with private clouds and the data center as a hybrid is the new definition of corporate computing. Not all companies that use some public and some private cloud services have a hybrid cloud. Rather, a hybrid cloud is an environment where the private and public services are used together to create value.
A cloud is hybrid:
·
If a company
uses a public development platform that sends data to a private cloud or a data
center–based application.
·
When a
company leverages a number of SaaS (Software as a Service) applications and
moves data between private or data center resources.
·
When a
business process is designed as a service so that it can connect with
environments as though they were a single environment.
In my 30 years of system development, including an expert
understanding what The Cloud is, I have found that an overwhelming number of
“Cloud” definitions exist. My meeting with the NPA executives was only 15
minutes, but scratching the surface with these representatives was a good start
and we welcome this conversation because this topic is a number 1
priority.
