Sunday, July 12, 2009

The high cost of unprotected data
Mishandling your customers’ payment card info can put you out of business

The Sacramento Business Journal ran a piece on protecting card holder data, pointing out that most breaches occur at Tier 3 and Tier 4 Merchants. (small business)  The stakes can be high as fines "start" at $5000 per month, even for a mom and pop restaurant.  One solution is to make sure that your customers credit and debit card data is never stored and always encrypted.  Accomplishing that is not a difficult task. 

One way to do it is to upgrade your existing POS terminal to one that is encryption-enabled.  Ideally, you'll want a terminal that encrypts the Track 2 data and one that has a built-in PCI 2.x certified PIN Entry Device. (PED)

Although the cost of upgrading could be expensive (encryption-enabled POS Terminals "start" at $500 without a PED) the alternative, (violating PCI) can be 10x more so. 

That is why HomeATM is pleased to be able to offer Tier 3 and 4 merchants our PCI 2.x certified SafeTPIN for hundreds of dollars less than what other's charge for their "encryption-enabled" terminals.  More information on our SafeTPIN can be found at the conclusion of this article.  Here's the story from the Sacramento Biz Journal

Stakes are high for small businesses hit by credit card fraud because there’s little margin to swallow losses — or fines — as the credit card industry cracks down on a multibillion-dollar problem.

Consumers might pay a fee but aren’t held responsible for fraudulent purchases made on their credit cards. Yet merchants get stuck with the bill and more. They can lose their ability to process credit card payments, be audited and/or face significant fines from their banks.

It can literally cause a business to go out of business,” said Bob Russo, general manager at Wakefield, Mass.-based Payment Card Industry Security Standards Council LLC, which maintains standards developed by the credit card industry to protect private consumer information.

Payment card fraud cost U.S. merchants an estimated $4 billion in online revenue in 2008, according to CyberSource Corp. in Mountain View. That’s up from $3 billion in 2006 and $1.9 billion in 2003.

The five major credit card companies — Visa, MasterCard, American Express, Discover and Japan Credit Bureau (JCB) — developed the security standard in 2004. Merchants are supposed to follow the rules to prevent account information from falling into the wrong hands.

The standard applies to any organization that holds, processes or passes on credit or debit cardholder information.

This can mean anything from a dry cleaner to a home-based business, doctor or lawyer’s office, a mall kiosk or mom-and-pop restaurant
, said Jay Cline, president of Minnesota Privacy Consultants and author of a how-to book on small-business compliance with the standards sponsored by CalBizCentral, a division of CalChamber.
Mistakes can be costly

Enforcement, which is handled by the banks that manage merchant accounts, started with big business at the top of the food chain, but it’s now down to smaller merchants. More than 80 percent of payment card breaches occur at small businesses, according to Jennifer Fischer, director of payment system risk at Visa Inc.

Fines vary by merchant size and the scale of the problem, but typically start at $5,000 per month for small businesses and go as high as $25,000 per month for large merchants, she said. Fines run until the system is in compliance.

Yet many small businesses don’t even know the rules exist, or assume the companies they work with protect the data.

A small microbrewery and restaurant in Lodi was fined $27,000 after an investigation into a possible data breach in 2007 showed the company’s computer system had stored private consumer data for three years, including card numbers for more than 11,000 customers.

Industry standards require merchants to keep cardholder data storage to a minimum to avoid risk that someone will hack into the system and use the information in the wrong way.  Lodi Beer owner Roger Rehmke blames the problem on the third-party credit card processor that transmits information from merchants to banks. Visa and MasterCard fined the intermediary $27,000 for noncompliance, but it passed the fine on to Rehmke.   “You’d be amazed what I went through,” said. “We had no idea we were holding the data.”

This kind of disconnect has credit-card companies, the council that maintains the industry standard and business groups working to step up education efforts.

Knowledge is key

CalBizCentral, which helps members understand and comply with laws and standards, supports the notion that the industry stepped up to regulate itself with one standard instead of a medley of rules from different card companies, said CalChamber executive vice president Jan Bell.

“There’s been a lot of exposure about security breaches at big companies, but the reality is breaches at small companies is where a lot of this occurs,” she said.

The data standards are “pretty technical” and written from a big company, information technology perspective, Bell said, so the chamber asked Cline to write a how-to book, called “Take Charge,” that simplifies the issues for small merchants.
Other resources are available.  The council offers facts and other information at

“It is not that difficult for small businesses to comply, but they need to know they need to comply,” Russo said. “It’s an education issue.” Merchants are encouraged to contact the council for help, Russo said.  “The nice thing about sending things to the council is that is it vetted by all five credit card companies,” Russo said. 

Protecting payment card data

Problem: More than 80 percent of payment card data breaches occur at small businesses 

What to do:

• As soon as the transaction is paid, delete the data
• Use a professional to develop your Web site and make sure it is secure
• If you are using a third party to transfer the data, make sure it complies with industry standards too.
• If you must store customer information on a laptop computer, invest in encryption software

Source: Jay Cline, Minnesota Privacy Consultants

Editor's Note: If you are a ISO, Processor or Gateway looking for an encryption-enabled hardware solution in order to complay with PCI, one option to consider is HomeATM's PCI 2.0 Certified Terminal pictured on the left.  It encrypts the Track 2 data and the PIN so that the data is never in the clear.  According to Mercator Advisory Group, encryption enabled terminals "start at $500" whereas the "SafeTPIN" can be offered to Tier 3 and 4 merchants for hundreds of dollars less.   Click here to obtain more information on how to offer the HomeATM SafeTPIN to your merchant base or acquire on for your business.

Reblog this post [with Zemanta]

Disqus for ePayment News