The Green Sheet Online Edition
January 28, 2008 • Issue 08:01:02
From the merchant level salesperson (MLS) to the acquiring ISO, and at every link in the chain, confidential personal identification information is stored, processed and transmitted. And each party in that chain needs to take proper steps to protect this data from unauthorized access. Here is a look at the regulatory landscape impacting ISOs.
The Federal Trade Commission is a government agency created by Congress through the Federal Trade Commission Act of 1914. The FTC was intended to prevent unfair methods of competition in commerce.
The FTC has determined the failure of any legal entity (public or private, for-profit or not-for-profit) to take "reasonable and appropriate" steps to protect personal identity or personal identification information (PII)
to be an "unfair trade practice" and, as a result, subject to FTC oversight.
PII includes any combination of a person's name and the following data: credit card numbers, date of birth, Social Security number, driver's license number and financial account numbers.
Phone numbers and e-mail addresses are excluded from this list because of their presence in the public domain (though some federal and state legislation include one or both in their definition of PII). The FTC Act, therefore, has become the country's national data privacy regulation and the FTC is the nation's data security enforcement agency.
The FTC has asked Congress for legislation which would create a "clear statutory requirement that companies implement and maintain appropriate safeguards" with the belief that this "would enhance the FTC's enforcement authority in this area and go a long way towards promoting a culture of security."
Though Congress has not enacted the legislation the FTC requested, it has not stopped the FTC from taking action. Companies as diverse as Nations Title Agency, CardSystems Solutions Inc., BJ's Wholesale Club Inc., DSW Inc. and ChoicePoint Asset Co. LLC have all experienced FTC sanctions. The FTC has outlined five principles that form the basis for the appropriate handling of PII.
Consumers should be given notice of an entity's information practices before any personal information is collected from them. This includes:
- Identification of the entity collecting the data
- How the data will be used
- Who will receive the data
- What data is being collected
- How data is being collected
- Whether the requested data provided is required or voluntary and the consequences if the required data is not provided
How the consumer can be assured of the confidentiality, integrity and quality of the data being collected
ISOs and MLSs should be aware of the choices consumers are given regarding how any personal information collected from them may be used. Specifically, choice relates to secondary uses of information, that is to say uses beyond those necessary to complete a possible transaction.
Individuals have the right both to access data about themselves (meaning to view the data in an entity's files) and to contest that data's accuracy and completeness. Both are essential to ensuring that the data is accurate and complete.
To be meaningful, access must encompass timely and inexpensive access to data, a simple means for contesting inaccurate or incomplete data, a mechanism by which the data collector can verify the information, and the means by which corrections and consumer objections can be added to the data file and sent to all data recipients.
Customer data must be accurate and secure. To assure data integrity, collectors must take reasonable steps, such as using only reputable sources of data and cross-referencing data against multiple sources, providing consumer access to data, and destroying untimely data or converting it to an anonymous form.
Security involves both managerial and technical measures to protect against data loss and the unauthorized access, destruction, use or disclosure of the data. Managerial measures include internal organizational practices that limit access to data and ensure that those individuals with access do not utilize the data for unauthorized purposes. Technical security measures to prevent unauthorized access include encryption in the transmission and storage of data, limits on access through use of passwords and storage of data on secure servers or computers that are inaccessible by modem.
Mechanisms have been put in place for fair information practices. Among the alternative enforcement approaches are industry self-regulation, legislation that would create private remedies for consumers, and regulatory schemes enforceable through criminal and civil sanctions.
Of the five principles set down by the FTC, number five may be the most important to the payments industry. Because the payment card brands have adopted the email@example.com.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.