opinion

Keeping Cardholder Data Safe, Secure

Keeping Cardholder Data Safe, Secure

Congratulations. It is 2021 and, so far, your business has survived the Great Culling of 2020, the global pandemic of COVID-19

Just as some people found ways to improve themselves while quarantined by learning to bake bread or brew beer, or taking up reading or yoga, some businesses thrived under quarantine protocols. Whether your business thrived or struggled to survive, it is safe to say that the phrase “adapt or die” truly showed its relevance in 2020 — especially for small businesses.

More credit card transactions mean more opportunities for them and more security obligations for you.

If your business is web-based, like Amazon or DoorDash, these may be bonanza times for you. If you run a brick-and-mortar business, then depending on the state you live in, you may have had to modify your business model, at least temporarily, in ways that had never before crossed your mind. Restaurants and auto-parts stores adopted curbside pickup, for instance, or became cash-free environments. Suddenly, you found yourself taking orders and billing information over the telephone.

Regardless, it is great that your business has found a way to make it in this year of the new normal, but survival means new responsibilities because, as you are likely aware, legitimate business owners are not the only ones adapting to this new world; cybercriminals love it. More credit card transactions mean more opportunities for them and more security obligations for you.

You may believe your primary obligation is getting your product to your customer, but in the grand scheme of things, protecting your customers' personal information and cardholder data is more important. While ensuring your customer receives what they paid for is important, hard goods can easily be replaced, whereas a security breach that reveals your customer’s personal information and cardholder data can result in such problems as identity theft, and there is a great chance that your failure to provide adequate protection will result in the permanent loss of that person as a customer in the future.

It is pretty easy to figure out what a customer’s personal information consists of; the obvious elements like name, address, telephone number and date of birth certainly fall under the category of personal information, but what else does cardholder data encompass?

Cardholder data, for the purpose of this article, is the Personal Identifiable Information (PII) that is kept on the magnetic strip found on the back of any credit, debit or ATM card. The cardholder data stored is typically the account number, cardholder name and expiration date, as well as the service code, also known as the CVV or CVV2, depending on the bank issuing the card.

Fortunately, for consumers and merchants alike, there is the Payment Card Industry Security Standards Council, hereafter referred to as the PCI SSC.

The PCI SSC was created in 2006 by American Express, Discover, JCB International, MasterCard and Visa, and its mission is to enhance credit card data security by developing standards, practices and services. Part of this was accomplished with the establishment of the PCI Data Security Standard (PCI DSS).

The PCI DSS lists 12 requirements for a merchant to become PCI-compliant. These requirements range from the basics such as using a proper firewall to protect unauthorized access to the servers that store and transmit your customer’s cardholder data, and not using default passwords provided by any third-party vendors you might use. Additionally, updating anti-virus software, testing your security systems and establishing a policy that addresses information security for employees and any relevant contractors is required.

Whether your business is face-to-face with your customers inserting their credit card into a terminal, or your business is entirely web-based and you never interact with the customer or their credit card information, if you accept any credit or debit card as a means of payment, you have an obligation to be PCI-compliant to some degree.

Failure to be PCI-compliant can be expensive as the penalties levied by the credit card company on the acquiring bank (credit card bank) can range from $5,000 to $100,000 per month, in addition to possible legal action, loss of revenue and the inevitable loss of consumers' trust.

Fortunately, becoming PCI-compliant does not have to be as difficult as it might seem on the surface. You will have to fill out a self-assessment questionnaire and the associated Attestation of Compliance annually, but the technical portion is easy and usually free as most merchant service providers have partnered with certified PCI vendors and assessors.

Jonathan Corona has 15 years of experience in the electronic payments industry. As MobiusPay’s EVP, Corona is primarily responsible for day-to-day operations as well as reviewing and advising merchants on a multitude of compliance standards set forth by the card associations. MobiusPay specializes in merchant accounts in the U.S., EU and Asia. Follow them @MobiusPay on Twitter, Facebook and IG.

Related:  

Copyright © 2024 Adnet Media. All Rights Reserved. XBIZ is a trademark of Adnet Media.
Reproduction in whole or in part in any form or medium without express written permission is prohibited.

More Articles

opinion

Best Practices for Payment Gateway Security

Securing digital payment transactions is critical for all businesses, but especially those in high-risk industries. Payment gateways are a core component of the digital payment ecosystem, and therefore must follow best practices to keep customer data safe.

Jonathan Corona ·
opinion

Ready for New Visa Acquirer Changes?

Next spring, Visa will roll out the U.S. version of its new Visa Acquirer Monitoring Program (VAMP), which goes into effect April 1, 2025. This follows Visa Europe, which rolled out VAMP back in June. VAMP charts a new path for acquirers to manage fraud and chargeback ratios.

Cathy Beardsley ·
opinion

How to Halt Hackers as Fraud Attacks Rise

For hackers, it’s often a game of trial and error. Bad actors will perform enumeration and account testing, repeating the same test on a system to look for vulnerabilities — and if you are not equipped with the proper tools, your merchant account could be the next target.

Cathy Beardsley ·
profile

VerifyMy Seeks to Provide Frictionless Online Safety, Compliance Solutions

Before founding VerifyMy, Ryan Shaw was simply looking for an age verification solution for his previous business. The ones he found, however, were too expensive, too difficult to integrate with, or failed to take into account the needs of either the businesses implementing them or the end users who would be required to interact with them.

Alejandro Freixes ·
opinion

How Adult Website Operators Can Cash in on the 'Interchange' Class Action

The Payment Card Interchange Fee Settlement resulted from a landmark antitrust lawsuit involving Visa, Mastercard and several major banks. The case centered around the interchange fees charged to merchants for processing credit and debit card transactions. These fees are set by card networks and are paid by merchants to the banks that issue the cards.

Jonathan Corona ·
opinion

It's Time to Rock the Vote and Make Your Voice Heard

When I worked to defeat California’s Proposition 60 in 2016, our opposition campaign was outspent nearly 10 to 1. Nevertheless, our community came together and garnered enough support and awareness to defeat that harmful, misguided piece of proposed legislation — by more than a million votes.

Siouxsie Q ·
opinion

Staying Compliant to Avoid the Takedown Shakedown

Dealing with complaints is an everyday part of doing business — and a crucial one, since not dealing with them properly can haunt your business in multiple ways. Card brand regulations require every merchant doing business online to have in place a complaint process for reporting content that may be illegal or that violates the card brand rules.

Cathy Beardsley ·
profile

WIA Profile: Patricia Ucros

Born in Bogota, Colombia, Ucros graduated from college with a degree in education. She spent three years teaching third grade, which she enjoyed a lot, before heeding her father’s advice and moving to South Florida.

Women In Adult ·
opinion

Creating Payment Redundancies to Maximize Payout Uptime

During the global CrowdStrike outage that took place toward the end of July, a flawed software update brought air travel and electronic commerce to a grinding halt worldwide. This dramatically underscores the importance of having a backup plan in place for critical infrastructure.

Jonathan Corona ·
opinion

The Need for Minimal Friction in Age Verification Technology

In the adult sector, robust age assurance, comprised of age verification and age estimation methods, is critical to ensuring legal compliance with ever-evolving regulations, safeguarding minors from inappropriate content and protecting the privacy of adults wishing to view adult content.

Gavin Worrall ·
Show More