Fresh Trends: January-February 2010

In July, tough new rules come into effect to help fight credit- and debit-card fraud and other forms of online crime

Credit cards and debit cards are great tools for retailers and consumers alike. For retailers, they guarantee immediate payment (no bounced cheques), reduce the amount of cash that needs to be handled and encourage consumers to spend a bit more. They also give bakeries a way of expanding their business to the online channel.

Bakers Journal has featured several businesses that are growing briskly by taking online orders. With the number of smart phones in Canada surging, it’s expected that retailers who aren’t leveraging payment cards and online ordering might get left in the dust. At the head of the class is Starbucks, which has just launched an iPhone application that allows customers to order and pay for coffee online prior to pickup.

Having less cash on hand makes you less likely to be targeted by thieves, but payment cards do pose a different kind of security risk – hackers. Starting in just a few months, you will be required by law to implement a host of procedures designed to safeguard your customers, your reputation and your business against online crime. With a little planning and access to some straightforward information, getting yourself ready is actually less daunting than it would appear to be.

In March 2007 it was announced that computer hackers had compromised at least 45.7 million credit and debit cards by infiltrating the network of TJX (the company that owns TJ Max and Marshall’s department stores in the United States). The hackers managed to get their hands on information dating as far back as 2003. It is also believed the thieves had access to the decryption tool for their encryption software, making PINs, credit card numbers, and any other unique identifiers easy to see.

Payment card information (PCI) compliance has been developed to avoid further breaches of this magnitude. It has implications for every retailer that takes any kind of card payment, and the date of reckoning is July 1, 2010. This is the date by which U.S. and Canadian acquirers must ensure their merchants and agents use only Payment Application Data Security Standard (PA-DSS) compliant payment applications.

The Payment Card Industry Data Security Standard (PCI-DSS) is a set of requirements designed to ensure that all companies that process, store or transmit credit card information maintain a secure environment. Any merchant that has a Merchant ID (MID) and takes any form of card payment will be required to comply with these standards.

Don’t make the mistake of thinking that smaller businesses are immune to being targeted – they’re often easy prey. Small merchants with less than 20,000 transactions per year represent two-thirds of all Visa transactions, and more than 99 per cent of all the merchants that accept Visa.

Many of these businesses don’t realize that their point-of-sale (POS) systems are storing the sensitive information loaded on the magnetic strip of consumer debit and credit cards. This information is a windfall for thieves, so naturally it’s of particular interest to them. Firewalls are often weak or non-existent, and hackers can have their way with the data for months before they’re detected.
Typically, card companies pick up on suspicious activity and then notify the acquiring bank, which functions as the middleman between the merchant and the card company. The merchant is often on the hook for the fraudulent transaction and possibly subject to additional fines for not being PCI compliant. These unexpected costs can add up to such a significant bill that some businesses can be snuffed out overnight.

All merchants fall into one of four levels, with varying degrees of obligation under the PCI standard. You will be considered a level one merchant if you process more than six million card transactions a year, have had a security breach in the past, or if for some other reason you are deemed to be at high risk for a breach. A level one merchant must submit to an external audit and quarterly scans of its data security systems.

Level two merchants process one million to six million payment card transactions per year, and must perform an annual PCO self-assessment questionnaire and quarterly network scans – or have them performed by an independently approved scan vendor.
Level three and four merchants process fewer than one million transactions per year and must follow the same protocol as level two merchants to be compliant. If your business suffers a breach of security and you have taken the steps to become compliant and followed the required documentation procedure, then you could save money in fines and salvage your reputation with your customers. Compliance isn’t hard to achieve – there are five easy steps.

Start by downloading a copy of the questionnaire so you can see exactly which security measures are expected of you. You can find copies of the questionnaire on MasterCard’s and Visa’s websites as well as www.pcicomplianceguide.org .

There are five versions of the questionnaire, depending on what type of credit card processor you use (online, phone or Internet connection). Secondly, retailers will need to get a free scan from approved scanning vendors. Scan results will include a list of vulnerabilities ranging from “none” to “urgent.” Vulnerabilities ranked at Severity 3 (High), 4 (Critical) and 5 (Urgent) will be reported on your free scan, and must be fixed. Make sure the scanning vendor you call is on the approved list to avoid allowing thieves into your system under the guise of compliance testing. Submit the proof of your passing scan to your acquiring bank.

The third step to compliance is to take steps to address any weaknesses. If the list of your store’s vulnerabilities from your free scan is too long, consider switching to an off-site, third-party credit card processor such as PayPal.

The fourth step may be to hire a qualified security assessor or QSA to help you address your list of vulnerabilities. QSAs are certified by the PSI Security Standards Council to help merchants become compliant.

Lastly, continue to be diligent. It’s a given that these thieves won’t just roll over and become altar boys overnight because card companies, banks and retailers decide to step up their game. As we get savvier – so will the bad guys. The best defence is a good offence, so know what information your system stores, and, if you don’t need it, get rid of it. If you do need it, guard it closely.

After all, it’s not just your profitability that’s at stake, it’s your reputation.