Merchants struggle to secure user data, deter identity theft

Merchants struggle to secure user data, deter identity theft

Standards and guidelines are in place, but compliance can be spotty

When it comes to credit card data security, some experts say slipshod handling of data at the merchant level is much more likely to land consumers in identity theft hell than any mistakes you might make. Need proof? See the headlines about data thefts by hackers.

Don't think, however, that the credit card industry is ignoring the problem or passively accepting defeat in the battle to protect the valuable data handed to merchants by their customers. There's too much money at stake. With that in mind, the industry imposes mandatory security standards -- known as the Payment Card Industry (PCI) Data Security Standards -- on merchants, processors, manufacturers of PIN entry devices and application developers. These constantly evolving rules cover all aspects of security from maintaining a secure network to securing cardholder data to regularly auditing your network. 

"Our standards are constantly evolving because we are trying to stay ahead of the hackers. This is their only job, and they are constantly rattling doorknobs, trying to access data," says Bob Russo, general manager at the PCI Security Standards Council, the group formed in 2006 by the major credit card brands to develop, maintain and evangelize these rules. "For merchants, it is easy to pull a paper out of your desk that says you are compliant, but they have to be constantly vigilant, as you can be out of compliance one day later. Ignorance is no excuse for lack of compliance."

The cost of noncompliance with any of these standards can be staggering: Merchants could be deemed liable for money lost in data breaches, and the credit card processing ncompany -- be it Visa, MasterCard or any other major firm -- could yank their affiliation, and with it, the right to accept credit cards.

Despite the consequences, compliance can be spotty, especially for small businesses with limited resources. Many merchants mistakenly believe they can find compliance nirvana through software and other outsourced solutions. Unfortunately, experts say no one product meets all 12 of the council's security-standard requirements, meaning merchants must employ multiple applications to ensure compliance.

Merchant standards
Companies that accept card payments and those that process them must meet a number of goals, including:

• building and maintaining a secure network.
• protecting cardholder data.
• setting cardholder data access policies.
• monitoring and testing networks and procedures.

For example, both the PCI standards and the federal Fair and Accurate Credit Transactions Act (FACTA), require merchants to truncate credit and debit card numbers on receipts. All these standards are subject to audit, with the frequency and level of the audit depending on how many transactions a merchant processes in a given year -- the more transactions, the more intense and frequent the audits.

Merchant 'levels'

• Level 1 merchants -- gigantic corporations such as Disney and Delta Airlines that process more than 6 million transactions in a year -- are subject to the highest scrutiny. Merchants who have suffered data breaches in the past also fall into Level 1. These merchants must undergo an annual on-site audit with a certified auditor and a quarterly network scan.
• Level 2 merchants are next in terms of scrutiny. They are those that process between 1 million and 6 million transactions a year. These merchants must complete an annual self-assessment questionnaire as well as a quarterly network scan.
• Level 3 merchants are those with 20,000 to 1 million transactions per year. They must complete the same annual self-assessment and quarterly data scan as Level 2 merchants.
• Level 4 merchants, which conduct between one and 20,000 transactions a year, are required to complete the annual self-assessment questionnaire.

"There are about 2,000 merchants in the first two categories, and they are generally between 90 to 95 percent compliant with all aspects of the PCI standards," says Suzanne Miller, senior partner of the Compliance and Audit Group at Turbo PCI, a consulting company. "The vast majority of merchants are level three and four, and compliance at that level is generally less than 50 percent. Every company that accepts payment cards is supposed to be compliant today."

The vast majority of security breaches originate at merchants that aren't compliant with the standards, says Russo. Many small merchants rely on vendors supplying cut-rate products and have no idea about the extent of the standards or whether the products and software they are subscribing to are compliant with industry standards, he adds. Potential security breaches fall into a number of categories, including data storage issues, employee access issues, vendor compliance and network security.

Data storage issues
Compliance problems frequently stem from data storage issues, as merchants are prohibited from storing the entire contents of the magnetic strip on the back of payment cards and must encrypt any stored and transmitted data to prevent hackers from stealing entire sequences of card numbers. Experts advise merchants to store as little data as possible once a transaction has been authorized.

"Merchants should not be holding consumer data, as it vastly increases the risk of a data breach," says Tom Harkins, chief strategy officer of Secure Identity Systems and a former vice president of risk and security at MasterCard. "The problem usually occurs when one department, such as marketing, holds data for analysis, and IT isn't aware of it. There are also problems at companies that have merged or been acquired, due to multiple systems operating at the same time."

The risk of breach rises exponentially the more data a merchant acquires from the consumer, Harkins adds. That's because storing Social Security numbers, driver's license numbers and other items not only increases the risk of a breach but increases the likelihood that consumers will be subject to full-scale identity theft rather than just credit card data theft. Any data that is stored and transmitted should be encrypted because data sent in the clear is extremely vulnerable to hackers.

Employee access issues
Many merchants lack compliance in terms of which employees have access to data, as the standards mandate need-to-know access, so that unauthorized employees shouldn't be able to access consumer's payment data, says Miller. "Access to this data is role-based, so an employee must work in a job where knowledge of consumer payment data is necessary to be able to view it," she says.

Vendor compliance
Merchants who outsource compliance or who use outside vendors to provide PIN entry devices and software payment applications are responsible for ensuring those products meet PCI Security Standards Council standards. In terms of outsourcing compliance, merchants must ensure that their consultants meet standards and aren't storing data or leaving any openings in their database after an audit that a hacker could exploit.

Network security
Information technology systems must make use of Web application firewalls and merchants must conduct application code reviews. Best practices standards dictate the regular use and update of anti-virus and anti-phishing software as well as a policy that mandates shredding of any sensitive data with a high quality shredder.

Updated: April 15,2023