By Dale S. Laszig
DSL Direct LLC
Most of us would like to leave our jobs behind when on vacation, but that's not easy for payment pros. Every time we walk into a store, open a mobile app or shop online, we're reminded of our industry. These reminders can be exciting or cringeworthy, depending on the circumstances. Here are some examples (I'm sure you can think of many more):
Last year, a sales associate at a furniture store offered to lend me a pillow. She said, "I'll write your credit card number on this receipt and bill you if you don't bring it back." When I expressed concern about exposing my credit card data, she offered to tear up the receipt or give it back when I returned the pillow. The following day, as promised, she retrieved the receipt from a locked safe behind a service counter and returned it to me.
In subsequent discussions with security analysts, I learned that writing a credit card number on a piece of paper does not violate the Payment Card Industry Data Security Standard (PCI DSS). It's what happens afterward that determines whether the merchant is complying with PCI DSS guidelines.
"Merchants want to be friendly and allow their customers to take a pillow home," said Matthew Halbleib, audit director at SecurityMetrics. "They need to design a process that allows employees to do this." Halbleib pointed out that PCI DSS version 3.2.3 disallows storing "sensitive authentication data," which the PCI Security Standards Council defines as post-authorization card data.
"Sensitive authentication data must not be stored after authorization, even if encrypted," states page 8 of the PCI DSS 3.2.3 manual, published in May 2018. "This applies even where there is no PAN [primary account number] in the environment."
Chris Bucolo, director of market strategy at ControlScan Inc., said there are understandably many concerns about the more technical aspects of PCI and data security, but in reality, many PCI DSS requirements are procedural in nature, and payment pros do not need IT knowledge to understand and address them. Physical security and procedures are just as important as those relating to the network and electronic processing aspects, he noted. The key is to weigh convenience issues with security risks and look for ways to protect customers while delivering a seamless, enjoyable customer experience.
Referring to the salesperson's offer recounted above, Bucolo added, "The practice the sales associate described may not have sounded so concerning had she said, 'We have a very clear and strict policy/procedure we follow internally,' and offered more details about how the store protects the data." He provided the following examples:
Halbleib said companies need to define their cardholder data environments, first by identifying all the places where data flows, then by applying controls around those card flows. When an employee creates a cardholder data flow that no one in the organization has heard about, it can jeopardize an organization's status and security posture, he said.
Halbleib suggested maintaining open lines of communication among employees and managers. This way, when an employee identifies a potential new card flow, a business owner and IT manager can make a business decision about how to handle that data.
Merchants and business owners have to control access to customer data after they take it, he stated, adding that this might entail storing receipts in tamper-evident bags and keeping a record of receipts that were turned over to a manager or picked up by a courier. "Auditors will look at whoever had access to the card data," he noted. "I appreciate all the honest clerks out there who don't steal your data, but we need a very established process to protect employees, businesses and consumers."
Sandy Travers, co-founder and co-CEO at DigiPay Solutions Inc., tries to educate merchants about the nuances of PCI requirements. "Sometimes I have to tell merchants why I don't want to handwrite my credit card on a piece of paper," she said. "This has even happened at large, established companies."
Travers recently offered to save a merchant money by providing free card readers to his fleet of service delivery people. "You can't have employees driving around with credit card numbers in their vans, because it violates payment card industry rules," she said. "Besides, you're paying card-not-present rates when you manually enter credit card data. My free card readers would make you eligible for card-present rates."
Banks and processors are getting tough on fraud and data security breaches, which increases the merchant's cost of doing business, Travers noted, adding that when PCI drives up costs, it all goes down stream in the form of higher consumer prices. "We need to be a self-regulating industry and not look the other way when we see something wrong," she said.
Dale S. Laszig, Senior Staff Writer at The Green Sheet and Managing Director at DSL Direct LLC, is a payments industry journalist and content provider. She can be reached at email@example.com and on Twitter at @DSLdirect.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.Prev Next