Special Report Payment and Collections
In a June Washington Post article titled "Ubiquitous Technology, Bad Practices Drive Up Data Theft," Jonathan Kim dubbed 2005 the year of the data breach. Indeed, a recent string of high-profile cases of compromised or stolen credit card data have given companies that process, store or collect credit card data a collective black eye.
The proliferation of credit cards since the 1970s has propelled the direct marketing industry forward. As the beneficiaries of card-not-present transactions, direct marketers need to be proactive when it comes to safeguard-ing this highly sensitive customer data.
This special report examines two major concerns direct marketers have when it comes to payment processing: the security of customer credit card data and managing payment fraud. In "The Digital Dozen," Solutionary's Chris Noell answers commonly asked questions about the Payment Card Industry Data Security Standard implemented this past June, and why direct marketers need to comply.
U.S. cardholders have a great deal of protection in card-not-present transactions, so merchants carry the majority of the risk. As online sales, in particular, continue to grow, it's projected that both the dollars lost to fraud and the cost of managing fraud will keep pace. Paul Garcia and Karen Markey of First National Merchant Solutions provide best practices to protect businesses from fraud in "Minimize Your Risk."
Direct marketers need to walk the extra mile to not only protect their own businesses from fraud, but to rebuild consumer trust.
—Lisa Yorgey Lester, Managing Editor
The Digital Dozen
What direct marketers need to know about PCI
By Chris Noell
The Merchant Risk Council estimates that 60 million credit cards were compromised in 2004 and that this number will double to 120 million by the end of 2005. To better protect credit card data, Visa and MasterCard have collaborated to create a common payments security standard, which has resulted in the Payment Card Industry Data Security Standard (PCI). Other U.S. card companies have since endorsed PCI within their security programs as well.
Here are answers to some of direct marketers' commonly asked questions about PCI, and why you should care about these new regulations.
How do I know if PCI applies to me?
PCI compliance is required of all organizations that store, process or transmit cardholder data, including merchants such as brick-and-mortar retailers, mail/telephone order direct marketers, and e-commerce retailers. PCI also applies to service providers—such as payment processors, data aggregators, collection agencies and hosters—that in the course of delivering a service to a merchant have access to cardholder data.
What is required for PCI compliance?
PCI compliance is based on 12 security requirements, often referred to as the "Digital Dozen." They are:
1. Install and maintain a firewall configuration to protect data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
3. Protect stored data.
4. Encrypt transmission of cardholder data and sensitive information across public networks.
5. Use and regularly update anti-virus software.
6. Develop and maintain secure systems and applications.
7. Restrict access to data by business need-to-know.
8. Assign a unique ID to each person with computer access.
9. Restrict physical access to cardholder data.
10. Track and monitor access to network resources and cardholder data.
11. Regularly test security systems and processes.
12. Maintain a policy that addresses information security.
On the surface, these requirements sound innocuous. However, these 12 requirements include more than 200 subrequirements.
Am I already PCI compliant? How difficult is it to comply with PCI?
Many organizations assume they're compliant because they've gone through a security assessment for Sarbanes-Oxley, HIPAA or to fulfill a contractual requirement. This is an erroneous assumption. Compared to other security standards and regulations, PCI is specific as to what is required for compliance and has some requirements unique to payments. For example, a general security assessment is unlikely to cover whether card validation codes (CVV2) are stored. However, CVV2 data storage is one of the most fundamental violations of PCI requirements and will generate significant liability.
What are the penalties for non-compliance, and when do they apply?
Fines can be as much as $500,000 per incident, and violators potentially may be prohibited from participating in card association programs. To date, fines have been assessed after an organization has been hacked and a forensics investigation reveals that the organization was not PCI compliant at the time of the incident.
How can I comply? Do I have any proactive audit or verification requirements?
Organizations that process large amounts of data are required to engage an approved third-party security assessor to proactively validate compliance.
If you're a merchant and you process more than 6 million card transactions per year, you're required to hire a third-party assessor to perform an annual on-site security audit and perform quarterly security scans of systems visible from the Internet. If you process less than 6 million total transactions, but more than 20,000 e-commerce transactions per year, a third-party assessor must perform the quarterly security scans and you must complete a self-assessment based on a standard questionnaire.
If you are a service provider and store, process or transmit more than 1 million transactions per year, a third-party assessor must perform an on-site security assessment and quarterly security scans. If you fall below the 1 million threshold, you still are required to perform the quarterly security scans and complete a self-assessment.
Most importantly, don't lose sight of the objective. Many organizations focus on a successful PCI audit. The real focus should be on developing a security program that can meet PCI requirements 24 hours a day, 365 days a year. Passing an audit does nothing to reduce PCI liability. In particular, any misrepresentations on the audit can create issues if a security incident later exposes them. For example, CardSystems, a payment processor compromised earlier this year, had successfully passed a PCI audit and was on Visa's approved service provider list. However, a subsequent forensics investigation showed CardSystems was out of compliance at the time of the security incident. In response, Visa effectively put CardSystems out of business by revoking its ability to process Visa transactions.
What other regulations and liabilities come into play with cardholder data?
If a hacker successfully gains access to cardholder data, there are a number of federal and state regulations that may come into play. California's SB 1386 likely will be triggered by such a compromise, requiring disclosure of the compromise to any affected California resident. At least 17 other states recently have passed similar disclosure laws.
Federal and state "unfair and deceptive trade practice" laws also may come into play. The Federal Trade Commission (FTC) has been especially aggressive at prosecuting cases where a hack demonstrates that companies have failed to live up to their stated privacy and security policies. More recently, the FTC has taken the position that failure to maintain reasonable security of a consumer's identity and financial data constitutes an "unfair trade practice." Since PCI is a pervasive, well-defined payments security standard, it likely is to be used as a litmus test for 'reasonability' in such cases.
How can I keep up with PCI changes?
PCI constantly is evolving based on congressional pressure for action, fraud losses and increasingly sophisticated hacking techniques. Monitor Visa and MasterCard's Web sites (www.visa.com/cisp or https://sdp.mastercardintl.com/index.shtml) for changes, or seek assistance from an approved security company that specializes in payments security and PCI compliance.
Chris Noell is vice president of business development at Solutionary, a managed security services firm based in Omaha, Neb. He can be reached at (402) 361-3000 or via e-mail at firstname.lastname@example.org.CI
Minimize Your Risk
How to combat payment fraud in card-not-present transactions
By Paul Garcia and Karen Markey
E-commerce and mail/phone order transactions represent the greatest exposure to disputes, chargebacks and fraud because neither card nor customer physically are present.
To reduce the potential for fraud, merchants need to know the risk and responsibilities of accepting card-not-present transactions, implement fraud-fighting tools such as address verification service and card verification value, and, most importantly, adopt industry best practices.
The following are some of the universal practices in place.
- Authorize every sale on the order date. Authorizations are valid for a specific number of days: Visa, up to 7 days and MasterCard, up to 30 days. Merchandise must be shipped, and sales must be deposited within these timeframes, or the authorization will expire. If shipping dates exceed these timeframes, obtain a new authorization code before shipping any merchandise.
- Ask for and record card type, card number and expiration date. Visa card numbers begin with a "4" and have 13 or 16 digits. MasterCard card numbers begin with a "5" and have 16 digits. American Express cards begin with a "3" and have 15 digits. Discover cards begin with a "6" and have 16 digits.
- Ask for both a billing and shipping address. If the addresses are different, determine whether the difference seems reasonable.
- Ask for a phone number. This information allows you to contact customers to inform them of backorders, to request another form of payment if the authorization is declined, or to verify address information.
- Ask for an e-mail address. Sending an e-mail order confirmation is another way to verify information. If the e-mail address is invalid, you can choose not to process the order until the information is verified.
- Request a customer service number appear on customers' credit card statements. Both Visa and MasterCard regulations permit mail- and telephone-order merchants to place their customer service numbers where the merchant city would normally appear. This may help customers recognize the charge when it appears on the statement, and reduce ticket requests and disputes. E-commerce merchants can place their URL addresses in this space.
The best way to manage your exposure to payment disputes, chargebacks and fraud is to remain vigilant, and follow accepted industry practices.
Fraud Warning Signs
Here are a number of indicators that a transaction might be fraudulent.
- The ship-to address either is a P.O. box or a mail receiving service. These may indicate lack of a permanent address.
- Above-average transaction orders or amounts.
- Toll-free telephone numbers given as day or evening phone numbers. Attempt to get a direct line.
- Multiple orders from a single customer in a short period of time.
- "Big ticket" orders. These items have maximum resale value and therefore maximum profit potential for fraudsters.
- Orders containing several of the same item. Criminals usually select the items with the most resale value.
- Orders from free Internet e-mail addresses. There is no billing relationship for free e-mail addresses, and often no verification that a legitimate cardholder has opened the account.
- Orders shipped to an international address. A significant number of fraudulent transactions are shipped to fictitious cardholders outside the United States. Fraud tools can't validate foreign addresses.
- Orders shipped to a single address, but placed on multiple cards. This may indicate stolen cards.
- Multiple transactions on one card over a very short period of time. This could be an attempt to "run" a card until the account is closed.
- Multiple transactions on one card or similar cards with a single billing ad-dress, but multiple shipping addresses. This could represent organized activity.
- Multiple cards used from a single IP address. More than one or two cards could indicate a fraud scheme.
Paul Garcia is vice president of risk management and Karen Markey is vice president of merchant research at First National Merchant Solutions, a payment processor based in Omaha, Neb. They can be reached at (800) 354-3988.