July 28th, 2005 by Jamie Estep
Credit Card Security Practices
In light of recent news about major credit card and personal information breaches, credit card security seems to be a suitable topic for today’s post.
Credit card and personal information security have become major topics with recent large security breaches. It is unfortunate that a large company like CardSystems was the victim of one of the largest security breaches in history. It seems like almost every other day I read about a new breach of security. These are almost never small businesses, but rather large, well-trusted Fortune 500 corporations. This makes me wonder, if these huge trusted corporations that spend millions of dollars a year making sure that their data is protected are loosing customer data the easily, then how bad can this problem be at the small business level?
Credit card truncation is a simple system, which helps to protect consumers from becoming a victim of fraud if they lose a credit card receipt. But, truncation laws allow merchants to keep full copies of credit card numbers and expiration dates. Furthermore, merchants who take information over the internet or over the phone, have full access to their customer’s credit card information. It is assumable that most merchant have the ability to, or do keep full copies of their customers credit card and personal information. There are over 40,000,000 businesses in North America. Through these businesses there were 19.8 billion credit card transactions in 2004. This is a staggering amount of data and information that needs to be protected.
This is where security comes into play.
CardSystems was a victim of a computer hacking attack, but had their data been properly secured, there would have never been a loss of customer information. CardSytems and its customers became a victim of their negligence in not securing the data that they stored.
For retail businesses there are Visa and MasterCard regulations, credit card truncation regulations, and individual processor regulations that govern how information must be kept. For internet businesses there are CISP, Visa and MasterCard, and processor regulations to follow. But, in a country with 24,000,000 businesses, who keeps track of and ensures that businesses are following all of these regulations.
The real answer is nobody.
It is essentially the merchant’s responsibility to make sure that the data that they keep is secured and protected properly. When signing up to accept credit cards, a merchant must agree to protect the information that they record. But, there are many businesses that do not adequately secure the information that they keep. Many businesses have virtually no idea how to secure the information that they keep. This falls true especially for newly established internet merchants. Merchants often don’t have the time or resources to even learn about how to ensure that the data they collect is secure. Retail merchants often keep their receipts in a filing cabinet or in folders. If there ever was a break-in and their business was robbed, a thief could accidentally come across all of the businesses transaction information. If a website was hacked, the hacker could accidentally come across all of the merchant’s customer information if stored improperly.
The problem is that there is no official guide on how to secure information, either for internet or retail businesses. Until there is a standard for securing data, the loss of customer information is going to continue. The government is very fast to prosecute any case involving credit card fraud, but nobody is trying to help merchants to prevent the loss of data in the first place. More and more regulations pile up without any extra help on how to fully comply with them. This is just another classic example of trying to fix the symptom of a problem, while ignoring the cause.
If you are a businesses owner and you are reading this, it might be a good time to look at your current data protection practices. Don’t let your business or your customers become a victim of negligence.