By Jim Beuoy, Director of Quality Assurance and Corporate Compliance and Dan Werner, National Sales Director, AmeridialIs the industry worried about credit card “PCI” standards? Is a teleservices company a “service agency” for purposes of the PCI rules?
The answer is “Yes, they should be. “ And…”Yes, they are.”
Payment Card Industry (PCI) Data Security Requirements (articulated in the Consumer Information Security Program) apply to all members, merchants, and service providers that store, process or transmit cardholder data. Any call center that takes credit card information on an inbound sales program or other program is required by law (the FTC) to comply with these standards.
Requirements include:
Build and Maintain a Secure Network
Protect Cardholder Data
Maintain a Vulnerability Management Program
Implement Strong Access Control Measures
Regularly Monitor and Test Networks
Maintain an Information Security Policy
These stipulations went into effect in June 2005. Unfortunately, they seem to have caught a lot of companies by surprise. In a recent survey at a major marketing association conference, no companies were in compliance with the new standards! At the very least, those entities that lose data due to breach are liable for the replacement costs of issuing replacement credit cards. That fee is currently around $60 per card, however, these costs will pale in comparison to other possible actions. Failure to comply with the PCI security standard can result in substantial fines and permanent expulsion from card acceptance programs. .
www.usa.visa.com and the corresponding Master Card web site spell these requirements out pretty clearly. On the positive side, most service bureaus and in-house operations are probably 85-90% in compliance. Most companies have privacy policies, controlled access to their physical facilities, centralized data storage, and additional safeguards when accessing the data center. Virtually all companies have reasonably effective firewalls in place and virtually all only allow agents to access essential data elements. Where we seem to come up short (as an industry) is in 1) encryption and 2) intrusion detection software.
Encryption software is cheap. A simple Internet search will yield scores of commercially available options. If you’re still emailing data, you’re probably putting yourself at risk. It’s much safer to post data and recordings to an FTP site that is password and ID protected. In fact, all data needs to be protected by “not commonly known” passwords and ID’s that are changed with some reasonable frequency.
Likewise, there are a host of options for intrusion detection software! Approaches to monitoring access to data as well as tracking the “footprints” of what data elements were touched vary from product to product so your IT Department should look at those options to determine the best course of action for your budget.
In addition to the PCI standards, the FTC has filed against seven companies for insufficient data security protections. Arguably, the most publicized enforcement action (regarding data security) by the Federal Trade Commission (FTC) was against Dallas Shoe Warehouse (DSW). The charges can serve as framework to guide you in shoring up your data security initiatives. In this case, the FTC charged that DSW:
created unnecessary risks to sensitive information by storing it in multiple files when it no longer had a business need to keep the information;
failed to use readily available security measures to limit access to its computer networks through wireless access points on the networks;
stored the information in unencrypted files that could be easily accessed using a commonly known user ID and password;
failed to limit sufficiently the ability of computers on one in-store network to connect to computers on other in-store and corporate networks; and
failed to employ sufficient measures to detect unauthorized access.
DSW has estimated that compliance with the Consent Decree with the FTC will cost between $6.5 million and $9.5 million.
If you don’t currently have these standards in place, you need to quickly take corrective action on each of the following line items:
Complete inventory of what information is held and where it’s held
Written policy on how employees use data
Written policy on how we share data (with clients, subcontractors, etc.)
Written policy on how we protect data.
Password protections (not commonly known, changed with some reasonable frequency)
encrypted credit card and social security numbers
What agents see (only last 4 digits of client provided cc #’s)
Log of data purges
Unauthorized detection safeguards
Monitored access
Independent audit
Plans for notifying consumers who’s data has been compromised
Plans for notifying government when personally identifiable information has been compromised.
As of the date of writing this article, no less than 30 states have enacted (new) privacy legislation! States define personal data differently. In some states it can be as little as name and address. Odd, since that's frequently public record information. States also differ on HOW and WHEN you must notify consumers of a data breach. Some are by mail within X days and some are by phone within a couple days. Like state DNC (Do-Not-Call) rules, there is a myriad of requirements.
Conclusion
Fines for privacy / data breaches are significant. If you store data, you need to make sure that you’re in compliance with these new regulations that may not have been on your radar. Become familiar with the requirements by researching the state statutes, visiting the FTC website and the web sites of Visa and Master Card. Fortunately, there are companies that can walk you thought this process. Some charge as little as $149 a year to test your network for intrusion security four times a year and help you make sense of the PCI Self-Assessment Questionnaire. Your Compliance Officer / Team / IT group needs to quickly research the state data privacy statutes and develop a plans to meet those respective requirement. Make this a front burner issue for your company so that we don’t see your company on front-page news!
For further information, please contact Dan Werner at 866-671-0778 or dwerner@oksameridial.com