GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?

Table of Contents

Lead Story

IRS says no merchant fees for 1099-K reporting: Who's listening?


Industry Update

PCI SSC seeks focus group topic

Visa outlines post-Durbin strategy

Is biggest Durbin impact loss of routing control?

FiServe CEO says Durbin good for tech spending

ACI thwarting S1-Fundtech merger

Trade Association News


An interview with Kurt Strawhecker

Ken Musante
Eureka Payments LLC

Banks counseled to meet the underserved

Patti Murphy
ProScribes Inc.

Research Rundown

Mobile payments present new sales channel

Gene Distler
VeriFone Inc.

Antiquated thinking could doom mobile payments at the POS

Biff Matthews
CardWare International

The green advantage

Selling Prepaid

Prepaid in brief

Streit says Green Dot exempt from Durbin

Winning prepaid's PR battle with regulation


Checks: Like the Energizer Bunny, they just keep going

Patti Murphy
ProScribes Inc.


Street SmartsSM:
Why MLSs should attend tradeshows

Bill Pirtle
MPCT Publishing Co.

SAFE Data notification bill: Does it go far enough?

Nicholas Cucci
Network Merchants Inc.

Working your P-L-A-N

Dale S. Laszig
Castles Technology Co. Ltd.

Company Profile

Blueprint SMS

New Products

Cloud-based document printing hits college campuses

Heartland Campus Solutions WEPA program
Heartland Payment Systems Inc.

Stop identity theft and fraud in its tracks

IdentiFlo Management Platform
Electronic Verification Systems LLC


The art of venting


Can new regulatory burdens become a competitive advantage?



Resource Guide


A Bigger Thing

The Green Sheet Online Edition

August 22, 2011  •  Issue 11:08:02

previous next

SAFE Data notification bill: Does it go far enough?

By Nicholas Cucci

On July 20, 2011, the U.S. House of Representatives subcommittee on Commerce, Manufacturing and Trade approved by a voice vote a version of the data breach notification bill. The legislation, the Secure and Fortify Electronic (SAFE) Data Act, is intended to enhance protection of personal information by establishing uniform national standards. If enacted, the SAFE Data Act (H.R. 2577) would preempt breach notification laws in 47 states and require notification of consumers within 48 hours after identifying specific information that was breached, unless the intrusion was inadvertent and unlikely to result in harm.

Data covered by the SAFE Data Act, is restricted to identification codes such as Social Security, passport, driver's license and credit card numbers. However, even with the progress toward a national standard for breach notifications, the legislation seems to give rise to ambiguity. For example, what is an inadvertent breach? If the breached data is just an email address, the argument could be made that an email address is partially sensitive data. When a fraudster cannot pull down credit card or more sensitive personal information, the next best thing is an email address. With an address, a fraudster can start phishing, which is a way of attempting to acquire sensitive information such as user names, passwords and credit card details by masquerading as a trustworthy entity in an email. If emails are compromised, will that fall under "inadvertent breach unlikely to cause harm"?

Protecting the personal is political

Committee member Rep. Henry Waxman, D-Calif., said, "The biggest loophole in the bill is its definition of personal information. There is no protection for personal emails; no protection for personal photographs and videos stored online; no protection for records of book, video, and other consumer purchases; no protection for records of purchases of over-the-counter drugs, including pregnancy tests; [and] no protection for payroll records." The Federal Trade Commission supports provisions in the SAFE Data Act authorizing the agency to obtain civil penalties for violations. FTC Commissioner Edith Ramirez stated, "Civil penalties are particularly important in areas such as data security, where the commission's traditional equitable remedies - including consumer restitution and disgorgement - may be impractical or not optimally effective."

So far, the new legislation would require companies and other entities that hold personal information to establish and maintain appropriate security policies to prevent unauthorized acquisition of data. The law requires notification of affected consumers after discovery of a breach, unless that breach was an innocent or inadvertent breach unlikely to result in harm. Organizations must begin notifying consumers within 48 hours - after taking steps to prevent further breaches and determining who has to be notified.

Laws and compliance rules not enough

This prospective notification law sounds a lot like Payment Card Industry (PCI) Data Security Standard (DSS) and related security standard rules. We all know PCI compliance for our merchants is simply not enough to defend against preventing a breach. Unfortunately, if you meet only the PCI standards, you are still extremely vulnerable.

Take, for instance, a PCI compliant merchant who keys in all transactions through a payment gateway's virtual terminal. In this scenario, the transmission from the keyboard to the computer is not encrypted and transfers clear text data. This is just one example in which being just PCI compliant and taking no extra security measures could result in a breach.

Why not set an industry standard that transactions keyed into virtual terminals must be done through encrypted keypads? By ensuring that every interaction is completely secure, merchants could rest easy knowing that if intruders were to break into their networks, they would have no access to any sensitive credit card or personal data.

Top 10 consumer complaints in 2010

Go the extra mile

Fraudsters' favorite way of stealing credit card information is a virus with a key logger embedded so they can monitor and track the keystrokes from infected computers. When merchants use encrypted solutions, even with infected computers, data thieves cannot see anything being keyed into the computers. To show the importance of sensitive information and why we need more uniform laws, here are some appalling statistics from last year. The FTC recently released the list of top consumer complaints received by the agency in 2010. This list once again shows that for the eleventh year in a row, identity theft is still the number one consumer complaint. A total of 1,339,265 complaints were received in 2010; roughly 19 percent were related to identity theft.

An ounce of prevention, a pound of regret

One of the most common questions asked is whether identity theft be prevented. The answer is both yes and no. You and your customers can take measures to protect yourselves and mitigate the risk. The more difficult you make your sensitive and identifying information to steal, the less likely someone will spend time trying to figure it out.

Fraudsters will move on to the next person or merchant who is not protecting him or herself. Criminals look for the path of least resistance. So make sure you, and your merchant customers, keep this in mind when selecting your preventive measures. Within today's payments industry, security needs to be solidified. Merchants and consumers need to feel comfortable when spending money, knowing that their personal information is being taken care of by the policies and procedures in place. Deficits in this regard will cause consumers to spend less. Is legislation going in the right direction?

Nicholas Cucci is the Director of Marketing for Network Merchants Inc., a graduate of Benedictine University and a licensed Certified Fraud Examiner. Cucci is also a member of the Advisory Board and Anti-Fraud Technology Committee for the Association of Certified Fraud Examiners. NMI builds e-commerce payment gateways for companies that want to process transactions online in real time anywhere in the world. Contact him at

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | Simpay | USAePay | Impact Paysystems | Board Studios