GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?

Table of Contents

Lead Story

Self-service channel emerging


Industry Update

Industry afloat amid economic plunge

MasterCard rings in new year with fee hike

FACTA flags identity fraud

Comerica tapped for prepaid benefits


SEPA: Will the promise be realized?

Tracy Kitten

Sizing up merchant cash advance

Marc Abbey, Yuriy Kostenko and Myron Schwarcz
First Annapolis Consulting

Industry Leader

Holli Targan –
Lady of the law


Interchange debate a wake-up call

Patti Murphy
The Takoma Group

Have passion, success will follow

Biff Matthews
CardWare International


Street SmartsSM:
It's 'bons temps' with SEAA in New Orleans

Dee Karawadra
Impact PaySystem

Requirement 10: PCI's Everest

Michael Petitti

Landing pages: Convert interest to action

Nancy Drexler
SignaPay Ltd.

Acquiring compliance

David Mertz
Compliance Security Partners LLC

Merchant services hierarchy

Adam Atlas
Attorney at Law

Company Profile

Sonoma Technical Support Services

New Products

POS terminal cool to the touch

ST-A10 TouchPOS
Toshiba TEC America

Ensure health care claims at the POS

Impact PaySystem

A quick-draw scanner at the POS

MS9590 VoyagerGS
Metrologic Instruments Inc.


Business travel made comfy

When the sandman is AWOL





Resource Guide


A Bigger Thing

The Green Sheet Online Edition

January 28, 2008  •  Issue 08:01:02

previous next

Acquiring compliance

By David Mertz

From the merchant level salesperson (MLS) to the acquiring ISO, and at every link in the chain, confidential personal identification information is stored, processed and transmitted. And each party in that chain needs to take proper steps to protect this data from unauthorized access. Here is a look at the regulatory landscape impacting ISOs.


The Federal Trade Commission is a government agency created by Congress through the Federal Trade Commission Act of 1914. The FTC was intended to prevent unfair methods of competition in commerce.

The FTC has determined the failure of any legal entity (public or private, for-profit or not-for-profit) to take "reasonable and appropriate" steps to protect personal identity or personal identification information (PII) to be an "unfair trade practice" and, as a result, subject to FTC oversight.

PII includes any combination of a person's name and the following data: credit card numbers, date of birth, Social Security number, driver's license number and financial account numbers.

Phone numbers and e-mail addresses are excluded from this list because of their presence in the public domain (though some federal and state legislation include one or both in their definition of PII). The FTC Act, therefore, has become the country's national data privacy regulation and the FTC is the nation's data security enforcement agency.

The FTC has asked Congress for legislation which would create a "clear statutory requirement that companies implement and maintain appropriate safeguards" with the belief that this "would enhance the FTC's enforcement authority in this area and go a long way towards promoting a culture of security."

Though Congress has not enacted the legislation the FTC requested, it has not stopped the FTC from taking action. Companies as diverse as Nations Title Agency, CardSystems Solutions Inc., BJ's Wholesale Club Inc., DSW Inc. and ChoicePoint Asset Co. LLC have all experienced FTC sanctions. The FTC has outlined five principles that form the basis for the appropriate handling of PII.

Of the five principles set down by the FTC, number five may be the most important to the payments industry. Because the payment card brands have adopted the

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | Simpay | USAePay | Impact Paysystems | Board Studios