Avoiding The Hack: Credit Card Data Security Measures Of Merchants
There was news of yet another credit card being hacked. Instead of a large scale hack, it was the President of PayPal who was victim to a hacker’s shopping spree. Given all of the security breaches on credit cards lately, I thought it might be helpful for our readers to have a primer on merchant responsibilities with regard to credit card data.
If you intend to maintain or transmit credit card information of your customers, consider limiting your liability by complying with the Payment Card Industry (PCI) Data Security Standard. These standards are created by PCI Security Standards Counsel which is comprised of representatives from American Express, Discover Financial Services, JCB Int’l, MasterCard Worldwide and Visa, Inc. PCI is the general standard that merchants rely upon with regard to the safekeeping of credit card information. The security standards are extensive and complex and are often the reason why small businesses utilize a third party for processing their credit card transactions. Even then, the merchant is responsible for confirming that the third party is complying with the necessary security measures.
The PCI Standards set six goals which are then focused into detailed security obligations: (1) Build and maintain a secure network and system; (2) Protect cardholder data; (3) Maintain a vulnerability management program; (4) Implement strong access control measures; (5) Regularly monitor and test systems; and (6) Maintain an information security policy. A sample of the compliance obligations include installing and maintaining a firewall and anti-virus software; create a personnel policy addressing maintenance and access to data; implement software programs for encryption and tracking of data; regularly update passwords and other security measures; and continually test the system to locate weaknesses. As is evident in recent news stories, creating a secure system is not easily accomplished.
It is important that merchants understand what level of protection each piece of credit card information should be given. The sixteen digit number on a credit card is called the PAN. The PAN, expiration date and any data from magnetic stripe or computer chip may only be stored if there is a good business reason to do so and must be subject to strict security measures, as detailed by PCI. The three or four digit security code located on the front for American Express cards and on the back for all other credit cards is called CID, CAV2, CVC2 or CVV2, depending on the credit card company. This number should never be stored by a merchant.
PCI has made available a Quick Reference Guide to provide a primer on how to achieve PCI compliance. It can be found at: https://www.pcisecuritystandards.org/documents/PCI%20SSC%20Quick%20Reference%20Guide.pdf A full copy of the regulations for greater detail on achieving compliance with PCI standards can be viewed at: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf
Merchants should also consider if they are “Financial Institutions” under the Graham Leach Bliley Act (“GLB Act”). The GLB Act requires that Financial Institutions establish certain safeguards and privacy policies for consumer information that is held by the Financial Institution. The term Financial Institution has a broad reach and includes any business that is significantly engaged in providing financial services or products. This could include professional tax preparers, ATM operators, appraisers, mortgage brokers and lenders, including, banks, pay-day lenders and non-bank lenders. The goal of the GLB Act is to assist consumers in the protection of their personal information. It limits the disclosure of non-public personal information of a consumer to unrelated third parties by Financial Institutions. Financial Institutions must advise their consumers about any such transfer of personal information and allow the customer the right to “opt out” of any such data sharing arrangements. The GLB Act also limits the further dissemination of personal information by the recipient third party.
The FTC’s overview of how to comply with the Safeguards Rule of the GLB Act can be viewed at: http://www.business.ftc.gov/documents/bus54-financial-institutions-and-customer-information-complying-safeguards-rule