Thereโs hidden danger, though, in being too cavalier about just how your staff handles card transactions. You can be hit with costly fines and penalties if you ignore increasingly tight regulations governing the protection of customer data โ especially if your violation leads to an actual release of customer information into criminal hands.
โMerchants who store, process or transmit credit card data need to understand they have a responsibility to protect that data,โ says Mark Burnette, a partner with LBMC Security & Risk Services, a Nashville-based consulting firm.
Costly Fines
So who makes the rules when it comes to protecting customer data? The big boss here is the Payment Card Industry (PCI) Security Standards Council, Wakefield, Mass. (pcisecuritystandards.org). This assemblage of credit card associations has been steadily tightening the reins on runaway data by releasing regulations in the form of official standards. The latest iteration, dubbed PCI Data Security Standard further strengthens the procedures that must be instituted by merchants by the end of 2014. (For details see the sidebar, โGet More Help.โ)
Fail to follow the PCI compliance rules and you may well be targeted for damages by your โacquirerโ โ the bank that provided you with your merchant account. Read your contract closely and youโll find that the bank has the power of the purse: โIf the acquirer finds that you have been consistently noncompliant, fines can be assessed,โ says Burnette. โAnd an actual breach of data can lead to even higher penalties.โ
The extent of monetary damages depends on the size of the merchant, the size of the breach and the number of cards involved. Penalties have ranged from $10,000 into the six figures and more.
Not to be underestimated, either, is the costly hit a publicized breach can have on a merchantโs reputation. Many consumers will be reluctant to shop at an establishment where a breach has occurred.
But perhaps the greatest motivation for toeing the line is the threat of losing the merchant account itself. โThe card association may take away your ability to accept credit cards at all,โ says Burnette. โThat can be extremely costly to any merchant.โ
Protect Yourself
While failure to follow mandated data protection guidelines is foolish, the good news in all this is that you can take positive steps to minimize risk.
Start by drawing up a statement of standard operating procedures (SOP) for everyone in your organization. โMake sure you have a clear, written policy about how to handle credit cards,โ says Burnette. โAnd make sure your employees have been educated on the policy. Bring up the topic regularly in your staff meetings.โ
Your SOP must address the critical need of keeping sensitive customer numbers under wraps. โWhere the merchant is most vulnerable is in the accidental mishandling of card information,โ says Burnette. โSuppose, for example, an employee takes an order over the phone, jots down the card number on a piece of paper, and then later drops the paper into the trash instead of a shredder. That violates the PCI and is bad business practice.โ
Another good rule is to keep the credit card in the hands of the customer as long as possible. โEmployees should quickly process the card and return it,โ says Burnette. โThis will keep the card from being accidentally grabbed (or from having its number written down) by someone else.โ
The right hardware can be as important as the right procedures. Have you been using the same POS equipment for many years? It may be time to replace it. โSome retailers still have legacy equipment that they donโt even realize is capturing cardholder information that can be compromised,โ says Paul Rianda, an attorney in Irvine, Calif. โIn contrast, if merchants use newer equipment, and use it correctly, there should be no way to lose cardholder information.โ
Computer systems face special challenges: โYou need to establish rules about passwords and about access to the computer system,โ says Burnette. โEach employee should have a unique security code which they are forbidden to share with other employees or even with managers. The passwords should allow access only to those sections of the database required to do an individualโs job.โ
You should use only hardware and software that has been approved by the PCI Security Standards Council (approved vendor lists are available at pcisecuritystandards.org). Make sure you are using a firewall, and that your wireless router is password protected and uses encryption. And change the default hardware passwords to complex ones.
Third Party
As the world of electronic commerce has become more complicated, regulations become more demanding. โThere are over 255 individual requirements for PCI compliance,โ says Burnette. โAll of them have to be met. There is no wiggle room.โ Little wonder that merchants are sidestepping the requisite procedures by farming everything out to a third party organization such as an ISO. โOffloading responsibility to a third party is a good solution,โ says Don Hartley, a consultant with Savannah, Georgia-based Tata Consultancy Services.
Donโt get trapped, though, by a false sense of security. You can outsource the operational duties for carrying out PCI compliance, but you cannot outsource your responsibility for protecting customer information. If something goes wrong, you will be assumed guilty.
To protect yourself from fines and penalties make sure your contract specifies the third partyโs responsibilities for setting up and maintaining computer systems that comply with PCI standards. You should also ask the third party to provide an annual โPCI report on Complianceโ signed off by a qualified security assessor (QSA). This should be done once a year. Both these steps will help protect you if the third party violates regulations.
Need to Know
Many of the protective steps suggested in this article derive from a broader maxim near and dear to the hearts of security people everywhere: Retain only the information you need. โFollow the rule that says โif you do not need customer information you should not keep it,โโ says Burnette.
Education is the first step to safety. Many smaller merchants are not aware of the duty to protect customer data, nor of the continually morphing rules. Ignorance of the law, as always, is no excuse. Taking the basic steps in this article will reduce your risk considerably. Says Burnette: โMake sure you have a written policy in place, train your employees properly, and make sure your computer system is PCI compliant.โ
Comments or thoughts on this article? Please e-mail [email protected].
Get More Help
Retailers who fail to protect their customersโ credit card data are playing with fire. โIf you make a mistake you may incur penalties of hundreds of thousands of dollarsโor even millions depending on how many cards were compromised,โ says Paul Rianda, an attorney in Irvine, Calif. He points to the experiences of two recent clients: A card association pulled $600,000 out of the account of one merchant who was hacked. A second merchant, a sports apparel retailer, was fined $13 million.
The adjacent article presents some common operational guidelines to protect yourself from loss. Additionally, seek the guidance of your attorney, your bank and your security advisor.
You can find more information about PCI (Payment Card Industry) compliance from the website of the PCI Security Standards Council, at pcisecuritystandards.org. Click on the โFor Merchantsโ button and read the helpful articles. Click on the โInformation Supplementsโ button to access the latest iteration of the PCI Data Security Standards, PCI DSS v3.0.