Credit Card Security: Six Digits Could Cost You Big Time

A reported 20 federal lawsuits filed in the Pittsburgh region over the past month are indicative of a growing trend that could cost small retailers big time. Consumers are filing class-action suits against retailers and businesses for violating a new credit card security law. Retailers who electronically print receipts that include more than the last five digits of the cardholder's card number are in violation of the Fair and Accurate Credit Transactions Act (FACTA), which was signed into law in December 2003 (with a three-year grace period for merchants to comply).

According to the Pittsburgh Tribune-Review, the Pennsylvania lawsuits have been filed against companies that allegedly violated FACTA by failing to abbreviate credit card numbers. In addition to inviting lawsuits from angry consumers, these same businesses could be fined up to $1,000 per customer affected by a violation of the law.

While FACTA was enacted to help fight identity theft and credit card fraud, now, with the three-year grace period over, any business that fails to comply with the law could end up paying a big price.

For those who are unfamiliar with FACTA or whose knowledge of it is a little hazy, it is crucial to become compliant with the law before being handed a fine or, even worse, being named in a class-action lawsuit. Pittsburgh is not the only area where lawsuits are being filed. A search of media sources on the Web indicates that similar lawsuits are in other states, including California and New Jersey.

While most booksellers may feel confident that their POS systems take care of in-store credit card security, "Merchant Requirements for Securing Cardholder Information," an informational document issued by the major credit card companies, warns that any retailer that uses vendors, processors, software providers, payment gateways, or other service providers should "make sure these agents adhere to all rules and regulations governing cardholder information security. Any violation by your agent may result in unnecessary financial exposure and inconvenience to your business."

Additionally, booksellers should be mindful of credit card security requirements when processing transactions off-site -- at book fairs, corporate events, and other venues. Importantly, equipment used for off-site transactions may not be in compliance.

Without question, card companies have placed the responsibility for card security squarely on the shoulders of all merchants and, over the past few years, have demanded that merchants increase card security drastically. The onus is on the retailer and any mistake in handling card data, both in-store and off-site, can result in penalties.

Prompted by these recent developments, BTW has compiled information on some of the key aspects of credit card security under FACTA, the card companies' security requirements governing cardholder information, and the Payment Card Industry (PCI) Data Security Standard.

The key component of FACTA -- and the most widely known -- is that it gives every consumer the right to their credit report free of charge every year. But the law also requires merchants to leave all but the last five digits of a credit card number off store receipts, so that these slips of paper, which most people just throw away, don't make them vulnerable to identity theft.

Furthermore, in June of last year, a new provision was added to FACTA imposing tighter security on information in an employee's personal files. Businesses need to destroy private consumer data obtained from information providers (e.g., consumer reports, background checks). Electronic files should be erased or destroyed and other personal information be burned, pulverized or shredded, as reported by IT Business Edge.com.

FACTA also requires lenders and credit agencies to take action before a victim even knows a crime has occurred. With oversight by bank regulators, the credit agencies will draw up a set of guidelines to identify patterns common to identity theft, and develop methods to stop identity theft before it can cause major damage. (More information about FACTA is available from the Privacy Rights Clearinghouse.)

American Express, Diners Club, Discover Card, JCB, MasterCard International, and VISA International have sent retailers the informational document, "Merchant Requirements for Securing Cardholder Information," which provides a brief overview of the "most critical aspects" of their security requirements.

Storage of Cardholder Information

• Do not store the following under any circumstance: full contents of any track from the magnetic stripe on the back of the card or the card validation code -- the three-digit value printed on the signature panel of a MasterCard, Visa, DiscoverCard, JCB, or Diners Club card or the four-digit code printed on the front of an American Express card.

• Store only that portion of the customer's account information that is essential to your business, e.g. name, account number, or expiration date.

• Store all material containing this information (e.g. authorization logs, transaction reports, transaction receipts, car rental agreements, and carbons) in a secure area limited to authorized personnel.

Destruction of Cardholder Information

• Destroy or purge all media containing obsolete transaction data with cardholder information.

Use of Agents or Third Parties (Vendor, Processors, Software Providers, Payment Gateways, or Other Service Providers)

• Advise each merchant bank or processing contact (representing each of your card brands) of any agents that engage in, or propose to engage in, the processing or storage of transaction data on your behalf -- regardless of the manner or duration of such activities.

• Make sure these agents adhere to all rules and regulations governing cardholder information security. Any violation by your agent may result in unnecessary financial exposure and inconvenience to your business.

Reporting a Security Incident

• In the event that transaction data is accessed or retrieved by any unauthorized entity, notify the merchant bank or processing contact for each card brand immediately.

• This report will minimize risk to the payment system and will protect your customers in the most responsible manner. Systems and procedures are in place to immediately stop the unauthorized use of compromised data, but these are effective only when you do your part to promptly report a security incident.

As previously reported in Bookselling This Week, card companies operating in the U.S. have endorsed the PCI Data Security Standard "within their respective programs." In other words, one security standard fits all: If a retailer meets Visa's security standards, for instance, the retailer meets the security standards of all cards.

The PCI Data Security Standard consists of the following 12 requirements:

1. Install and maintain a firewall configuration to protect data. While for many home users, this might mean installing security software such as the packages offered by McAfee or Norton, for businesses it means having hardware to protect your network by keeping hackers out. If you do not have a firewall, one can be purchased at any computer store. If you use a router, there's a good chance the router already has a firewall built in.
    
2. Do not use vendor-supplied defaults for system passwords and other security parameters. Whether it's the default passwords in your POS software or in your firewall, booksellers need to change the passwords of any software or hardware that helps store or transmit credit card data. The bottom line here is, a retailer can't just implement applications out of the box. Most applications do not come with secure features turned on by default. Change the defaults.
    
3. Protect stored data. Once again, a bookseller must make sure that credit card data cannot be accessed by unauthorized staff. Retailers should limit the amount of data that is retained to data that is absolutely necessary for their business. If data (particularly account numbers) is stored unnecessarily, eliminate this data. What is needed should be stored in an encrypted format.
    
4. Encrypt transmission of cardholder data and sensitive information across public networks. A bookseller should make sure their POS system vendor is compliant with encryption standards. Cardholder data should not be transmitted over the Internet unencrypted.
    
5. Use and regularly update anti-virus software. There are many good anti-virus solutions available, and, whether you are a home user or a business with access to the Internet, there's no excuse for not having virus software. McAfee and Norton offer reputable anti-virus software, for example, or a bookseller can simply seek advice from their local computer store -- just don't go online without it.
    
6. Develop and maintain secure systems and applications. The bookseller is responsible for ensuring that they keep their system security patches up to date and securely develop any web applications.
    
7. Restrict access to data by business need-to-know. There must be strong access-control measures. A bookstore can have many employees and not everyone needs to have access to the POS software. Anyone with the authority to take a credit card or with access to the store transaction database must have a unique password and identifier so that all access to data can by traced to a specific user and so that an unauthorized user can't access credit card data stored on the system.
    
8. Assign a unique ID to each person with computer access. If unclear on how to create a unique ID for each staff member, booksellers can check with their respective POS vendor. And make sure that staff log out when they are not at the computer.
    
9. Restrict physical access to cardholder data. Once again, a bookseller must restrict access to data by "need-to-know." Receipts with full printed account numbers should be stored securely.
    
10. Track and monitor all access to network resources and cardholder data. Simply put, the storeowner or manager must be able to track users of the system through access to audit logs. For example, some operating systems, such as Windows XP, have the ability to log the activity of system users. Since each user will have a unique ID (see number 8), systems should be able to log user access based on those unique IDs.
     
11. Regularly test security systems and processes. One very basic way to test your security system is to attempt to "hack" it. Provide a bad log-in name or incorrect password and see if the system lets you in. For more advanced tests, Visa recommends that booksellers ask their security vendors (these are companies, e.g. Verisign, ISS, Security Metrics, that offer security assessment services, such as scanning. Visa has a list of qualified assessors on its website that are experienced in working with merchants to ensure compliance) to provide additional testing, such as system scans of Internet-facing systems (any systems that someone on the Internet can access directly, such as a web server). This can also include testing a process to escalate a suspected security breach through the chain of command. Any hard copy data should be protected through physical security controls and company policies regarding access controls (see requirements 7 and 12).
     
12. Maintain a policy that addresses information security. In other words, bookseSACllers must create a security policy (using the previous requirements as the guideline), educate staff on this policy, and make sure it is maintained.

For more information (and it is recommended that all booksellers become well read on card security), MasterCard's website provides merchants with a list of "security must-do's and can-do's for merchants" while VISA has information on its Cardholder Information Security Program (CISP). -- Dave Grogan