NEW YORK — Credit cards: What would today’s retailer do without them? If you’re like most merchants, you’ve found that the ubiquitous plastic card has become the default transaction tool for purchases large and small.
There’s hidden danger, though, in being too cavalier about just how your staff handles card transactions. The recent data breach at Target—affecting some 70 million to 110 million people—drives home the need for every retailer to be vigilant in protecting customer data.
You can be hit with costly fines and penalties if you ignore increasingly tight regulations governing the protection of credit card data—especially if your violation leads to an actual release of customer information into criminal hands.
“Merchants who store, process or transmit credit card data need to understand they have a responsibility to protect that data,” says Mark Burnette, a partner with LBMC Security & Risk Services, a Nashville-based consulting firm.
As the world of electronic commerce has become more complicated, regulations become more demanding. “There are over 255 individual requirements for PCI (Payment Card Industry) compliance,” says Burnette. “All of them have to be met. There is no wiggle room.” Little wonder that merchants are sidestepping the requisite procedures by farming everything out to a third-party organization such as an ISO. “Offloading responsibility to a third party is a good solution,” says Don Hartley, a consultant with Savannah, Ga.-based Tata Consultancy Services.
Don’t get trapped, though, by a false sense of security. You can outsource the operational duties for carrying out PCI compliance, but you cannot outsource your responsibility for protecting customer information. If something goes wrong, you will be assumed guilty.
To protect yourself from fines and penalties, make sure your contract specifies the third party’s responsibilities for setting up and maintaining computer systems that comply with PCI standards. You should also ask the third party to provide an annual “PCI report on Compliance” signed off by a qualified security assessor (QSA). This should be done once a year. Both these steps will help protect you if the third party violates regulations.
NEED TO KNOW
Many of the protective steps suggested in this article derive from a broader maxim near and dear to the hearts of security people everywhere: Retain only the information you need. “Follow the rule that says, ‘If you do not need customer information, you should not keep it,’” says Burnette.
Education is the first step to safety. Many smaller merchants are not aware of the duty to protect customer data, nor of the continually morphing rules. Ignorance of the law, as always, is no excuse. Taking the basic steps in this article will reduce your risk considerably. Says Burnette: “Make sure you have a written policy in place, train your employees properly, and make sure your computer system is PCI-compliant.”