By David Mertz
Compliance Security Partners LLC
From the merchant level salesperson (MLS) to the acquiring ISO, and at every link in the chain, confidential personal identification information is stored, processed and transmitted. And each party in that chain needs to take proper steps to protect this data from unauthorized access. Here is a look at the regulatory landscape impacting ISOs.
The Federal Trade Commission is a government agency created by Congress through the Federal Trade Commission Act of 1914. The FTC was intended to prevent unfair methods of competition in commerce.
The FTC has determined the failure of any legal entity (public or private, for-profit or not-for-profit) to take "reasonable and appropriate" steps to protect personal identity or personal identification information (PII) to be an "unfair trade practice" and, as a result, subject to FTC oversight.
PII includes any combination of a person's name and the following data: credit card numbers, date of birth, Social Security number, driver's license number and financial account numbers.
Phone numbers and e-mail addresses are excluded from this list because of their presence in the public domain (though some federal and state legislation include one or both in their definition of PII). The FTC Act, therefore, has become the country's national data privacy regulation and the FTC is the nation's data security enforcement agency.
The FTC has asked Congress for legislation which would create a "clear statutory requirement that companies implement and maintain appropriate safeguards" with the belief that this "would enhance the FTC's enforcement authority in this area and go a long way towards promoting a culture of security."
Though Congress has not enacted the legislation the FTC requested, it has not stopped the FTC from taking action. Companies as diverse as Nations Title Agency, CardSystems Solutions Inc., BJ's Wholesale Club Inc., DSW Inc. and ChoicePoint Asset Co. LLC have all experienced FTC sanctions. The FTC has outlined five principles that form the basis for the appropriate handling of PII.
Consumers should be given notice of an entity's information practices before any personal information is collected from them. This includes:
ISOs and MLSs should be aware of the choices consumers are given regarding how any personal information collected from them may be used. Specifically, choice relates to secondary uses of information, that is to say uses beyond those necessary to complete a possible transaction.
Individuals have the right both to access data about themselves (meaning to view the data in an entity's files) and to contest that data's accuracy and completeness. Both are essential to ensuring that the data is accurate and complete.
To be meaningful, access must encompass timely and inexpensive access to data, a simple means for contesting inaccurate or incomplete data, a mechanism by which the data collector can verify the information, and the means by which corrections and consumer objections can be added to the data file and sent to all data recipients.
Customer data must be accurate and secure. To assure data integrity, collectors must take reasonable steps, such as using only reputable sources of data and cross-referencing data against multiple sources, providing consumer access to data, and destroying untimely data or converting it to an anonymous form.
Security involves both managerial and technical measures to protect against data loss and the unauthorized access, destruction, use or disclosure of the data. Managerial measures include internal organizational practices that limit access to data and ensure that those individuals with access do not utilize the data for unauthorized purposes. Technical security measures to prevent unauthorized access include encryption in the transmission and storage of data, limits on access through use of passwords and storage of data on secure servers or computers that are inaccessible by modem.
Mechanisms have been put in place for fair information practices. Among the alternative enforcement approaches are industry self-regulation, legislation that would create private remedies for consumers, and regulatory schemes enforceable through criminal and civil sanctions.
Of the five principles set down by the FTC, number five may be the most important to the payments industry. Because the payment card brands have adopted the dave@csp-mw.com.
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.
Prev Next
 Data Security Standard (DSS)</a>, the FTC can use PCI DSS compliance - or the lack thereof - to determine whether an ISO or any entity that stores, processes or transmits cardholder data has taken reasonable and appropriate steps to protect PII - not just cardholder data.</p>
<h4 class='subhead'>Case studies</p></h4>
<p>There have been a number of high profile cases in which the FTC has become involved as a result of compromising of PII. In each of the following examples, PII data - including cardholder data - was compromised.</p>
<p>Alpharetta, Ga.-based ChoicePoint Inc., a collector and seller of consumer data, announced in February 2005 that the personal information of nearly 145,000 consumers in all 50 states had been compromised. The ChoicePoint breach is used by the nonprofit consumer advocacy group Privacy Rights Clearinghouse as the starting point for its comprehensive listing of similar security incidents.</p>
<p>The FTC concluded that ChoicePoint failed to take reasonable and appropriate steps to protect the data in its care and then stated on its Web site that it had taken such steps to protect the data. The fines included 20 years of biannual security audits and the largest fine ever assessed in FTC history: $10 million plus a $5 million restitution pool for consumers whose identities were stolen.</p>
<p>In June 2005, news broke that 40 million debit and credit cards accounts had been compromised at the Atlanta-based processor CardSystems Solutions Inc. Eventually, the FTC assessed CardSystems 20 years of biannual security audits. And, when CardSystems' assets were acquired by biometrics company Pay By Touch, the FTC security audit requirement was included.</p>
<p>In 2006, Kansas City-based Nations Title Agency, a subsidiary of real estate firm Nations Holding Co., experienced two issues: First, its systems were hacked. The hack could have been prevented if the company had taken reasonable protective steps. Second, shredded loan documents were thrown into a dumpster.Penalty: 20 years of biannual security audits.</p>
<p>Going forward, the payments industry should pay close attention to how the shifting regulatory landscape will affect ISOs and MLSs and their relationships with merchants. Tighter legislative controls on customer data can be a headache for all concerned. But safeguarding that data is vital to the health of our industry.
<img src='/images/GSLogo_3.png' class='display-line img-fluid' style='max-width: 25px;' alt='end of article'>
</p>
<p class='small text-secondary'>David Mertz is the founding partner of Compliance Security Partners LLC. He has spent the last four years working with merchants and service providers to meet Payment Card Industry Data Security Standard compliance. For more information, e-mail <a href=){kind=link}