GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?


Table of Contents

Lead Story

New moves for more mojo in '09

News

Industry Update

Online shoppers stay the course

Morgan Stanley sues Discover

TARP eases AmEx woes

Is TALF on target?

RBS staves off hackers

Shift4 podcast available

Features

Mt. Snow clear for summit

Getting smart about contactless

Industry Leader

Paul Martaus –
The go-to guy

Selling Prepaid

SellingPrepaid now in print

Prepaid in brief

Going boldly into m-commerce

Achieve wellness with rewards

A new outlook for the unbanked

Views

How to preserve self-regulation

Biff Matthews
CardWare International

A countertop tonic for recession blues

Bulent Ozayaz
VeriFone

Changes afoot, challenges ahead

George Sarantopoulos
The Access One Group

Education

Street SmartsSM:
Become an enterprising networker

Jason Felts
Advanced Merchant Services Inc.

The new age in customer retention

Christian Murray
Global eTelecom Inc.

Rising above recession: 10 tips

Curt Hensley
CSH Consulting

PCI, an aspect of PII

Ross Federgreen, Ken Musante and Theodore Svoronos

PCI: What to hope for in 2009

Tim Cranny
Panoptic Security Inc.

Weathering the coming payment storms

Jeff Fortney
Clearent LLC

Company Profile

Charge Card Systems LLC

New Products

Seek profitable harbor with POS

Harbortouch POS Systems
Company: United Bank Card Inc.

Securing data on the edge

Cipher Security Module
Company: Semtek Corp.

Inspiration

Beyond resolutions

Beyond resolutions

Departments

Forum

Resource Guide

Datebook

A Bigger Thing

The Green Sheet Online Edition

January 12, 2009  •  Issue 09:01:01

previous next

PCI, an aspect of PII

By Ross Federgreen, Ken Musante and Theodore Svoronos

The Payment Card Industry (PCI) Data Security Standard (DSS) falls under the broader topic of personally identifiable information (PII). The theft of PII is commonly known as identity theft.

Identity theft issues are broad and far reaching; they are consuming greater corporate resources, both nationally and internationally. The consequences of handling PII in a manner inconsistent with prevailing laws can be severe, regardless of whether the noncompliance was due to accident, incompetence, compromised internal staff or lack of knowledge regarding applicable regulations.

Fraud resulting from identity theft is now a $50 billion-per-year crime, and growing. According to the Federal Trade Commission, it is the most common complaint the agency receives from consumers.

In 2006, the Identity Theft Data Clearinghouse, a national database established to assist law enforcement investigations, received 674,354 complaints forwarded by the FTC, the Internet Crime and Complaint Center and other organizations; 246,035 of those (36 percent) pertained to identity theft.

Each year the number of agencies involved and laws enacted regarding PII at federal and state levels increases. Also, many laws in effect in international venues parallel or exceed rules in place in the United States. Rules and regulations governing PCI are implemented country by country.

PII can bite your customers

PII covers a growing list of data elements that can be tied to or represent a given individual. Illegal or negligent use of these elements can cause individuals to be harmed. PII includes:

PII is often used to open bank accounts as well as merchant accounts. In most instances, a combination of data elements is required for a compromise to occur.

Many of the items listed under the umbrella of PII are regulated both by civil and criminal laws; they carry penalties on federal and state levels. As of this writing, 48 states regulate the use, storage, transmission and disposal of various elements of PII - including credit card information. The federal government has adopted, or is considering, a number of rules and regulations regarding actions associated with PII. The most specific edict to date is the 2008 FTC consent decree released in the Life Is Good Inc. case.

The FTC charged that LIG "failed to provide reasonable and appropriate security for the sensitive consumer information stored on its network," even though the company stated on its Web site that such information "is kept in a secure file."

The consent decree is broad. In nine specific orders, it covers all aspects of LIG's data protection policies, procedures and ethics. One order requires the company to obtain an independent, third-party auditor to review and assess its security measures every other year for the next 20 years.

Already, at least 13 federal laws and regulations either directly or tangentially affect PII. Some examples are the:

And during the 110th U.S. Congress, Senate committees favorably reported out three data security bills that include information security and data breach notification requirements. Other data security bills were also introduced in the House of Representatives and the Senate.

It's bigger than PCI

The PCI DSS, the Payment Application DSS and the PCI PIN Entry Device Standard are designed to protect primary account numbers and their related sensitive data - in other words, credit and debit card numbers - from illegal or unauthorized use.

These industry best-practice-driven recommendations and mandates are closely tied to the current, pending and proposed directives of various federal and state entities. In fact, many distinct principals of these rules and regulations can be traced back to historical legislation in this field.

As in all situations, state and federal laws and regulations trump regulations and mandates of the PCI Security Standards Council. And in the absence of a comprehensive federal data breach notification law, many states have enacted laws mandating consumer notification regarding security breaches of personal data.

As of January 2008, 39 states had enacted data security laws requiring entities to notify persons affected by security breaches and, in some cases, to implement information security programs to protect the security, confidentiality and integrity of data. One example is the California Financial Privacy Information Act, which dictates that, in the event of a breach, the impacted company must publicly disclose said breach.

Additionally, six states (California, Connecticut, Illinois, Massachusetts, Minnesota, and Texas) have introduced bills designed to strengthen merchant security and hold companies liable for third-party companies' costs arising from data breaches.

As a result, public disclosures have heightened interest in the following:

What does it all mean for you, as ISOs and merchant level salespeople? Failure to ensure your merchants are PCI compliant will open you up to greater and greater liability from multiple sources, both civil and criminal.

Ross Federgreen is founder of CSRSI, The Payment Advisors, a leading electronic payment consultancy specifically focused on the merchant. He can be reached at 866-462-7774, ext. 1, or rfedergreen@csrsi.com.

Ken Musante is President of Humboldt Merchant Services. Contact him by e-mail at kmusante@hbms.com or by phone at 707-269-3200.

Theodore Svoronos, Payments Consultant for Irvine, Calif.-based Group ISO, can be reached by phone at 800-960-0135 or by e-mail at ted@groupiso.com.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

USAePay | Impact Paysystems | Electronic Merchant Systems | Inovio | Board Studios, Inc.