Card Associations

Over the last few years there have been a variety of initiatives brought forth by each of the different card networks. Visa’s Cardholder Information Security Program (CISP), MasterCard’s Site Data Protection (SDP), American Express’ Data Security Operating Policies (DSOP) and Discover’s Information Security and Compliance (DISC) regulations. In December of 2004, the Card Associations came together to create a single security program to set a single standard for Merchants to comply with: the Payment Card Industry Data Security Standards (PCI DSS).

PCI DSS focuses on six areas of operation

• Build and maintain a secure network
• Protect cardholder data
• Maintain a vulnerability management program
• Implement strong access control measures
• Regularly monitor and test networks
• Maintain an information security policy

For most Merchants, in order to certify to the PCI DSS standards, you must complete a detailed self-assessment form and receive quarterly network scans from an independent auditor. For bigger Merchants (6 million transactions annually or above), the regulations require a detailed onsite assessment. Even Merchants who process less than 20,000 transactions annually are required to comply with the regulations, even though they are not currently required to be validated by the Card Associations. Certification and compliance guidelines for smaller Merchants are dictated by its Merchant Bank.

Regardless of your size, failure to comply can lead to steep financial and operational penalties. The first time any of your data is compromised the Visa fine will be $50,000. For any subsequent breaches, the fine goes up exponentially. More importantly, Visa, MasterCard, Discover and so forth can and, in fact have, taken away the ability of the Merchant to accept credit cards.

To help aid in our customers efforts to comply with PCI DSS, Shift4 has created a preferred relationship with SecurityMetrics. SecurityMetrics is a certified assessor for Visa, MasterCard, American Express and Discover Card and your best source for accurate, in-depth and up-to-the-minute information on security. We chose them for their outstanding customer support and for the preferred, industry leading discount pricing they are offering our customers. You may contact SecurityMetrics directly at (801) 705-5665 or visit them online at www.securitymetrics.com. Be sure to reference your Shift4 account to receive the discounted pricing.

These regulations have been around long enough that any organization that you choose to do business with should be able to provide you proof of their certification for PCI DSS. Less stringent certification requirements have been created called PABP which are detailed below. For more information regarding PCI DSS you can read Visa's PCI information.

Payment Application Best Practices (PABP)

Visa has developed "Payment Application Best Practices" to address security and the risks associated with varying payment applications (point-of-sale or property management systems). The goal of the PABP is to help software vendors create secure payment applications. To be considered secure, these applications can not retain full magnetic stripe data or CVV2 data and must support a Merchant's ability to comply with PCI DSS requirements.

The Card Associations do not currently require the payment applications to certify compliance with the PABP standards. However, many processors, including First Data, are requiring that the payment applications validate their compliance with these standards through an independent third party auditor in order to continue to be able to send transactions directly to the processor. First Data required that the audit be completed by October 1, 2005 and is requiring third party POS software vendors to certify all versions. In addition, any POS software vendor that connects remotely to Merchants for the performance of maintenance, enhancements or updates must also complete an onsite PCI DSS certification audit with a third party security assessor approved by Visa.

Merchants are also pressuring their POS/PMS providers to comply with these regulations as it can be imperative to their own ability to become PCI DSS certified. For more information regarding PABP visit Visa's website.

Take Control
You need to be your own criminal lurking around your business. Look for ways that a thief would be able to get access to sensitive information about your customers. When you are in other Merchants’ businesses look around their operation and see what they are doing wrong with cardholder information. If you can see it happening there, does it happen in your business?

Set an employee policy outlining access to sensitive customer information. Make your employees read and acknowledge it on a regular basis. Limit access to cardholder information and maintain a log of each of your employee’s access to the information. This is very hard to do and enforce without an automated system and database that allows for each of your employees to have their own login and security rights to limit their access to sensitive credit card data.

Digital video cameras and network storage have made video surveillance simple and affordable. You should be recording your employee’s actions at the cash register and in areas where information is stored. You should have a written policy outlining this and have your employees read and acknowledge the policy.

Test your employees. Call your business from a phone number they won’t recognize and ask some simple questions to try and learn a bit about your business from the employee on the phone. Will they tell you what kind of equipment is being used? What bank is used? The phone number you call for support? These are all simple and common questions that a thief will use to start learning about your business to try and commit fraud.

Make sure that you are destroying all credit card information on a regular basis. Storing bags of receipts in your office is only inviting a thief to walk in and take the bag. Some business keep years worth of printed credit card receipts sitting in boxes in their backrooms where any employee could get to them and it could be a very long time, if ever, before someone knew they were missing.

If you are running a website consider purchasing Web Liability Insurance and Web Outage Loss of Income Insurance. Just as you insure your physical business, insurance for your website is just as important. Do not store cardholder information on your Web Server. Also do not e-mail cardholder information. Both of these are the easiest for hackers to gain access to and therefore access to your customer’s information. Use an SSL certificate to provide Secure Socket Layers for your website and encryption of customer information between your Web Server and your customer’s Web Browser.
Any of your computers that have access to the Internet should be hidden behind a Firewall to prevent unauthorized access by thieves looking for an easy target.

Have a policy/plan drawn up that identifies all the steps and measures necessary should you become aware that a breach of your security has been committed. Check with the state your business is in and find out what its requirements are for such a breach. Each state has different laws identifying the Merchant’s responsibility.

Summary of Laws & Regulations
There are a variety of different law enforcement agencies involved with the enforcement of laws focusing on credit cards and transactions. You need to check with your local, state, and federal laws to find out which pertain to credit cards and Merchants. There isn’t a state in the U.S. that accepts ignorance of the law as a defense. A good collection of these laws can be found at the FTC's Credit Website. And while you’re looking, visit the Fair Credit Billing Act.

There are also a variety of laws that pertain to the safeguarding of customer’s sensitive (private) information: California Database Protection Act, Gramm-Leach-Bliley Act, FTC Security Regulations applying to GLB, FTC Financial Institutions and Customer Data, U.S. Department of Treasury: Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice. The U.S. Secret Service has been the primary law enforcement agency for credit card crimes. They handle all levels of criminal activity involving credit card crimes.

Reporting to Law Enforcement
One of the reasons thieves do what they do is because they believe they will get away with the act. This holds true with credit card fraud and theft as well. If you experience criminal behavior in your business you need to report it. If you think the next guy will report it and you don’t need to, the thief could go on forever and never face the consequences of his/her actions.
Immediately after an incident, gather all of the information you have regarding the incident. Sit down and outline a summary of the actions and facts regarding the incident. This will help make sure that you don’t forget anything later on when you talk to Law Enforcement.

Contact an appropriate Law Enforcement Agency and let them know what happened and that you wish to file a report.