GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?

Table of Contents

Lead Story

What does Visa's U.S. EMV push mean?


Industry Update

PCI tokenization guidelines draw much comment

How will the Google-Motorola deal affect mobile payments?

B notice advice from Convey

Selling Prepaid

Prepaid in brief

Prepaid Q&A: Gary L. Palmer

Interchange lower on benefit cards than debit


Yes, there is an alternative to NFC

Doug Dwyre


Cash advance in 2011: Fool's gold or gold rush?

Mitchell D. Levy
Merchant Cash and Capital LLC


Street SmartsSM:
WSAA or bust

Bill Pirtle
MPCT Publishing Co.

Learn to be a change pro

Jeff Fortney
Clearent LLC

The remarkable results of repetition, repetition

Peggy Bekavac Olson
Strategic Marketing

Identity theft: It's not just PCI anymore

Linda Grimm and Ross Federgreen
CSRSI, The Payment and Privacy Advisors

Encryption's place in data protection

Tim Cranny
Panoptic Security Inc.

Believe in what you offer, watch your sales soar

Steve Norell
US Merchant Services Inc.

Company Profile

Sage Payment Solutions

Charge Anywhere LLC

New Products

BPA-free receipt paper enters the cloud

Papergistics private-label receipt paper

Tablet innovation advances mobility

CardFlex Tabulous Cloud tablets
CardFlex Inc.


Preparation at summer's end



Resource Guide


A Bigger Thing

The Green Sheet Online Edition

September 12, 2011  •  Issue 11:09:01

previous next

Identity theft: It's not just PCI anymore

By Linda Grimm and Ross Federgreen

All business entities are obligated to know what regulations apply to their businesses and take all reasonable measures necessary to secure the data their customers entrust to them.

Identity theft is the number one concern of consumers and therefore one of regulators' highest priorities. Each state and many industries (including banking and health care) have their own requirements over and above federal regulations.

In the merchant services industry, the Payment Card Industry (PCI) Data Security Standard (DSS) is now a household phrase. Your merchants are reminded monthly about PCI when they get their statements and see the monthly or annual fees assessed for "PCI compliance."

The PCI DSS is managed by the Payment Card Industry Security Standards Council, which is comprised of experts in the field that define the standard that all card brands adhere to and establish their programs around. The programs include Visa Inc.'s Cardholder Information Security Program, American Express Co.'s Merchant Data Security Standard and MasterCard Worldwide's Site Data Protection.

The power of PII

Identity theft is the loss of personally identifiable information (PII) that leads to the utilization of that data for fraudulent purposes. The following are currently identified as PII: Social Security numbers, dates of birth, driver's license numbers, credit and debit card numbers, and check routing and account numbers.

However, the definition and therefore the points of data that must be protected are expanding. For example, on Feb. 10, 2011, the California Supreme Court ruled that a ZIP code is a form of PII and must be protected under various California laws. In addition, Internet Protocol addresses may also be considered PII.

The PCI DSS is just a small part of the picture. It addresses "cardholder" data: credit and debit card numbers - period. But what about all the other PII a business may have stored, processed or accessed such as customer or employee data with names, addresses, phone numbers, possibly Social Security numbers, bank routing and account numbers, email addresses, and financial or health information?

All this data is considered private information, and the PCI DSS deals with only one small subset of PII.

Numerous state and federal regulations address PII security. Why should your merchants care? Because if they don't, there could be significant business and personal repercussions - and not just if their systems are compromised.

The Federal Trade Commission takes its role of protecting U.S. consumers seriously. Many state regulations are even more stringent than those of the FTC, and the state attorneys general are actively pursuing businesses that fail to properly protect consumer data.

Companies found to be in violation of state regulations face stiff sanctions, often significant monetary fines with requirements to implement controls and, in many instances, ongoing reporting to the regulatory authority, often for many years.

Case studies: A pound of cure

To quote Benjamin Franklin, "An ounce of prevention is worth a pound of cure." Here are some case studies that illustrate "the pound of cure" that could have been avoided with prudent, proactive prevention and adherence to federal and state regulations in addition to the PCI DSS.

Regarding the cases involving the FTC, the filing of a complaint is authorized when the FTC has "reason to believe" the law has been or is being violated, and it appears the proceeding is in the public interest. The complaint is not a finding or ruling that the defendant has actually violated the law. The stipulated order is for settlement purposes only and does not constitute an admission by the defendant of law violation.

In addition, a consent order issued by the FTC carries the force of law and civil penalties of up to $16,000 for each violation.

These are just a few examples of the types of situations companies may find themselves in, illustrating the need to make sure your merchant customers:

Linda Grimm, Certified Information Privacy Professional (CIPP), is Senior Consultant, and Ross Federgreen, CIPP, is the founder of CSRSI, the leading payment and privacy consulting firm. Linda can be reached at; Ross can be reached at For more information or assistance in learning about the regulations as applicable to your or your merchant customers' business, contact CSRSI at 866-462-7774 or online at

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | Simpay | USAePay | Impact Paysystems | Board Studios