Special Report Payment and Collections
What other regulations and liabilities come into play with cardholder data?
If a hacker successfully gains access to cardholder data, there are a number of federal and state regulations that may come into play. California's SB 1386 likely will be triggered by such a compromise, requiring disclosure of the compromise to any affected California resident. At least 17 other states recently have passed similar disclosure laws.
Federal and state "unfair and deceptive trade practice" laws also may come into play. The Federal Trade Commission (FTC) has been especially aggressive at prosecuting cases where a hack demonstrates that companies have failed to live up to their stated privacy and security policies. More recently, the FTC has taken the position that failure to maintain reasonable security of a consumer's identity and financial data constitutes an "unfair trade practice." Since PCI is a pervasive, well-defined payments security standard, it likely is to be used as a litmus test for 'reasonability' in such cases.
How can I keep up with PCI changes?
PCI constantly is evolving based on congressional pressure for action, fraud losses and increasingly sophisticated hacking techniques. Monitor Visa and MasterCard's Web sites (www.visa.com/cisp or https://sdp.mastercardintl.com/index.shtml) for changes, or seek assistance from an approved security company that specializes in payments security and PCI compliance.
Chris Noell is vice president of business development at Solutionary, a managed security services firm based in Omaha, Neb. He can be reached at (402) 361-3000 or via e-mail at firstname.lastname@example.org.CI
Minimize Your Risk
How to combat payment fraud in card-not-present transactions
By Paul Garcia and Karen Markey
E-commerce and mail/phone order transactions represent the greatest exposure to disputes, chargebacks and fraud because neither card nor customer physically are present.
To reduce the potential for fraud, merchants need to know the risk and responsibilities of accepting card-not-present transactions, implement fraud-fighting tools such as address verification service and card verification value, and, most importantly, adopt industry best practices.