Last week, one of our theatres asked us some innocuous questions. A lot of their business was coming in through Webtix, it was recommended that they get “Cyber Security Insurance.” And, they wanted to know what we were using for “cyber insurance.”
Cyber insurance? For our business? We had never heard of it. We knew what it would probably refer to. But when we thought about it a little more, it did not make any sense.
The first question was, what was there to insure against? Remember, if you are going to be a successful criminal, you need to make money. Theatres do not make enough money to be of interest to any self-respecting criminal.
Can a criminal steal credit card numbers? In order to steal card numbers, they have to be stored somewhere, and in an unencrypted form. We don’t store credit card numbers. Period.
Can the card numbers be stolen while they are being entered? Again, it is not likely because everything is encrypted. In Webtix, everything is encrypted. In Webtix 6, card numbers are entered directly in the gateway’s web site – and never touch our server at all.
Can the card numbers be stolen while they are being entered from a phone sale or card swipe? Maybe – but it’s pretty difficult. If an organization ignores PCI security standards, there could be a problem. Malicious code can install itself and read input from the keyboard, card swipe, or memory. This gets sent back to the criminals. This is probably the biggest threat.
There are two solutions: EMV terminals and encrypted card swipes.
- EMV terminals ($400 – $700) You have seen these in stores where you insert your credit card.
- Encrypted card swipes These encrypt everything from the keyboard to the processor’s gateway.
- The problem with both solutions is that they cannot communicate with Wintix. Yes, you can do credit card transactions. But, you would not know which customer, performance or sales record it is used for. These things ought to exist. It’s just that we have not seen them yet. If you know of any solutions that are suitable for our theatres, please let us know.
- And, any insurance policy is guaranteed to have a “we do not cover” clause. If you do not conform to the PCI standards, insurance will not cover your losses. Once you read the fine print in the PCI standards, you will realize that it is just about impossible to meet all the requirements. That pretty much insures that the insurance company will never have to pay any claim.
In conclusion, this kind of insurance does not make sense. We told the theatre that.