The Plastic Nightmare: Securing Your Sensitive Customer Data

– Don Capman, President,
J.D. Associates

So, what’s all the commotion about with credit cards and PCI DSS compliance? As a matter of fact what is PCI DSS compliance anyway and what does it have to do with me, the retailer? PCI DSS stands for Payment Card Industry Data Security Standard and, if you don’t adhere to the standards, you could be subjected to fines that could very well put you out of business. Yes, no matter how large or small your business is, if you are not in compliance with these standards and your customers’ credit card information is compromised, you could be on the hook in a big way.

It's not just the “big guys” who are cooking up a boatload of trouble for themselves. When most of us think of credit card security breaches, we immediately think of companies like TJX which experienced one of the worst and most notorious “hackings” in retail history costing the company millions of dollars. But according to VISA USA, Inc., 80% of the instances of unauthorized access to personal credit card information has taken place with the smaller, often called “mom and pop” merchants. It appears that the average consumers are increasing the use of their credit cards for smaller and smaller purchases in over 7 million locations in the United States. Additionally, in a survey of 600 businesses with less than 250 employees conducted by Visa and National Federation of Independent Business, 52% of these businesses were storing sensitive credit card information in their computers and many probably didn't even realize it. Not only do you risk astronomical fines if your stored sensitive data is compromised by a hacker but you risk very negative publicity and lose credibility with your customers. You may be able to survive the fines, but the loss of business could very well ruin your reputation and put you under.

What do you need to do in order to determine if your business is protecting sensitive customer data? You first have to do an audit. What questions should you first consider when thinking about how your company handles sensitive customer data? According to a Quick Brief article by Pricewaterhouse Coopers, LLP published in March 2007, the following five questions are a good place to begin:

1. Does your company have strategic compliance efforts underway?
2. Is there support for and a commitment to data protection among senior management and/or business owners or the board of directors?
3. Is your company clear on where it stands regarding its PCI compliance requirements, including its assigned merchant level, and its ability to comply with PCI requirements?
4. Can the question “Is our data protected throughout the data lifecycle?” be answered with confidence and supported with evidence?
5. Where is the credit card and other customer data processed and stored and is the company storing “track” credit card data?

Additionally, is the current version of your POS software storing unencrypted data? Many merchants feel because the credit card information is not printing out on the customer receipt, they are in compliance. Not necessarily true. The data could still be stored in the system. You could also be storing sensitive customer data in your customer loyalty program. It is imperative that you understand the lifecycle of customer data. How does it get into the system and where does it go within the system and how could it get out?

Sound complicated? It is and often very confusing, but you have a responsibility to protect your customers and your business.

If you would like to learn more about the specific PCI requirements, you can go on line at https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf and download the 12 steps that are the current standard for PCI. I warn you that this is not bedtime reading.