Merchant Account Types
Merchant Account Providers
News & Advice
Merchant Account Tools
Merchants struggle to secure user data, deter identity theft
Standards and guidelines are in place, but compliance can be spotty
By Amy Buttell Crane
When it comes to credit card data security, some experts say slipshod handling of data at the merchant level is much more likely to land consumers in identity theft hell than any mistakes you might make. Need proof? See the headlines about data thefts by hackers.
Don't think, however, that the credit card industry is ignoring the problem or passively accepting defeat in the battle to protect the valuable data handed to merchants by their customers. There's too much money at stake. With that in mind, the industry imposes mandatory security standards -- known as the Payment Card Industry (PCI) Data Security Standards -- on merchants, processors, manufacturers of PIN entry devices and application developers. These constantly evolving rules cover all aspects of security from maintaining a secure network to securing cardholder data to regularly auditing your network.
"Our standards are constantly evolving because we are trying to stay ahead of the hackers. This is their only job, and they are constantly rattling doorknobs, trying to access data," says Bob Russo, general manager at the PCI Security Standards Council, the group formed in 2006 by the major credit card brands to develop, maintain and evangelize these rules. "For merchants, it is easy to pull a paper out of your desk that says you are compliant, but they have to be constantly vigilant, as you can be out of compliance one day later. Ignorance is no excuse for lack of compliance."
The cost of noncompliance with any of these standards can be staggering: Merchants could be deemed liable for money lost in data breaches, and the credit card processing ncompany -- be it Visa, MasterCard or any other major firm -- could yank their affiliation, and with it, the right to accept credit cards.
Despite the consequences, compliance can be spotty, especially for small businesses with limited resources. Many merchants mistakenly believe they can find compliance nirvana through software and other outsourced solutions. Unfortunately, experts say no one product meets all 12 of the council's security-standard requirements, meaning merchants must employ multiple applications to ensure compliance.
For example, both the PCI standards and the federal Fair and Accurate Credit Transactions Act (FACTA), require merchants to truncate credit and debit card numbers on receipts. All these standards are subject to audit, with the frequency and level of the audit depending on how many transactions a merchant processes in a given year -- the more transactions, the more intense and frequent the audits.
"There are about 2,000 merchants in the first two categories, and they are generally between 90 to 95 percent compliant with all aspects of the PCI standards," says Suzanne Miller, senior partner of the Compliance and Audit Group at Turbo PCI, a consulting company. "The vast majority of merchants are level three and four, and compliance at that level is generally less than 50 percent. Every company that accepts payment cards is supposed to be compliant today."
The vast majority of security breaches originate at merchants that aren't compliant with the standards, says Russo. Many small merchants rely on vendors supplying cut-rate products and have no idea about the extent of the standards or whether the products and software they are subscribing to are compliant with industry standards, he adds. Potential security breaches fall into a number of categories, including data storage issues, employee access issues, vendor compliance and network security.
Data storage issues
"Merchants should not be holding consumer data, as it vastly increases the risk of a data breach," says Tom Harkins, chief strategy officer of Secure Identity Systems and a former vice president of risk and security at MasterCard. "The problem usually occurs when one department, such as marketing, holds data for analysis, and IT isn't aware of it. There are also problems at companies that have merged or been acquired, due to multiple systems operating at the same time."
The risk of breach rises exponentially the more data a merchant acquires from the consumer, Harkins adds. That's because storing Social Security numbers, driver's license numbers and other items not only increases the risk of a breach but increases the likelihood that consumers will be subject to full-scale identity theft rather than just credit card data theft. Any data that is stored and transmitted should be encrypted because data sent in the clear is extremely vulnerable to hackers.
Employee access issues
Updated: April 15, 2009