The Green Sheet Online Edition
February 25, 2008 • Issue 08:02:02
ISO compliance challenge
Here is a mantra that bears repeating: From the merchant level salesperson to the acquiring ISO, and at every step in the chain, confidential personal identification or identity information (PII) is stored, processed and/or transmitted. And, each party in the chain needs to take the proper steps to protect this data from unauthorized access.
My last article, "Acquiring compliance," The Green Sheet, Jan. 28, 2008, issue 08:01:02, focused on Federal Trade Commission requirements for protecting PII. In summary, the FTC has determined the failure to take "reasonable and appropriate" steps to protect confidential data is an unfair business practice and subject to FTC oversight.
ISOs are required to protect PII from unauthorized access, maintain the accuracy of data in their custody and have an incident response plan. Penalties can range from 20 years of biannual security audits with FTC review to significant monetary sanctions.
So, let's review what PII and PHI mean.
PII includes any combination of a person's name and the following data: credit card numbers, date of birth, Social Security number, driver's license number and financial account numbers. Phone numbers and e-mail addresses are excluded from this list because of their presence in the public domain (though some federal and state legislation include one or both in their definitions of PII).
In addition, two subsets of PII have relevance to the payments industry: A Social Security number itself - without any other link to the person who has been assigned to it - is considered PII, and a payment card industry-branded card number, without any other link to the cardholder, is considered PII.
Protected health care information (PHI) includes any combination of a person's name or other identifiable information (think PII data) and health care records. This includes any type of medical treatment, diagnosis, equipment and so forth that has been prescribed, purchased or received by the individual.
GLBA's long arms
Passed in 1999, the Gramm-Leach-Bliley Act (GLBA) was designed to reform the banking, investment and insurance industries. A provision of this legislation requires financial institutions to protect PII data. Does this apply to the ISO community since ISOs are not financial institutions? Yes.
Determining whether an ISO is impacted by the data privacy requirements of the GLBA can be confusing. The FTC is charged by the GLBA (along with federal and state banking, investment and insurance regulators) with the enforcement of the GLBA's data privacy provisions. The FTC has interpreted "financial institution" to mean "all businesses, regardless of size, that are significantly engaged in providing financial products or services.
"This includes, for example, check-cashing businesses, payday lenders, mortgage brokers, nonbank lenders, personal property or real estate appraisers, professional tax preparers, and courier services," the FTC stated. "The safeguards rule also applies to companies like credit reporting agencies and ATM [automated teller machine] operators that receive information about the customers of other financial institutions.
"In addition to developing their own safeguards, companies covered by the rule are responsible for taking steps to ensure that their affiliates and service providers safeguard customer information in their care."
A second factor that needs examination is whose data is being stored, processed or transmitted. The GLBA only applies to consumer activity. It does not apply to business-to-business activity.
For example, if a business, even a sole proprietorship, is applying for a merchant account, the PII data on the application and the PII data the ISO may retain in client records (electronic or paper) does not receive protection under the GLBA.
However, transaction data - which contains cardholder data - is covered under the GLBA. If an ISO processes, stores or transmits full card number data, the GLBA would apply (similar to the activities of ATM networks or operators).
When would an ISO receive a full card number? A few possible scenarios are when the ISO has a risk department monitoring cardholder activity for transaction irregularities; the ISO operates a payment gateway; or the ISO offers customer service support to merchants experiencing transaction difficulties. The FTC has adopted two relevant rules for the protection of PII:
- The Financial Privacy Rule
- The Safeguards Rule
FTC's rules for safety, privacy
The Financial Privacy Rule defines what an ISO impacted by GLBA must do when collecting PII and what must be disclosed to consumers. The FTC stated the rule "governs the collection and disclosure of customers' personal financial information by financial institutions. It also applies to companies, whether or not they are financial institutions, who receive such information."
The Financial Privacy Rule, as it applies to ISOs, is focused exclusively on the protections required of PII data; the cardholder's issuing bank is responsible for the privacy disclosure requirements of the Financial Privacy Rule of the GLBA. The steps ISOs must take to protect PII are defined in the Safeguards Rule.
The Safeguards Rule sets forth what must be done to protect data from unauthorized access. The rule requires impacted ISOs to take a number of steps to protect the PII with which they have been entrusted. And it requires a written information security plan that is appropriate to the following:
- Company size and complexity
- Nature and scope of its activities
- Sensitivity of the customer information it handles
An ISO's written plan must include:
- Designation of one or more employees to coordinate its information security program
- Identification and assessment of the risks to customer information in each relevant area of the company's operation, and evaluation of the effectiveness of the current safeguards for controlling these risks
- Design and implementation of a safeguards program, and regular monitoring and testing of it
- Selection of service providers that can maintain appropriate safeguards - making sure contracts require providers to maintain safeguards - and overseeing their handling of customer information
- Evaluation and adjustment of the program in light of relevant circumstances, including changes in the firm's business or operations, or the results of security testing and monitoring
In addition, the ISO may not disclose cardholder data to any third party which is outside of the entities involved in facilitating the consumer transaction. Pretexting, the practice of obtaining PII under "false pretenses," is also prohibited under GLBA.
GLBA's penalty punch
GLBA penalties are significant: Not only can the penalties be applied to an ISO, they can also apply to an ISO's officers. The GLBA describes applicable penalties as follows:
"The financial institution shall be subject to a civil penalty of not more than $100,000 for each violation; and the officers and directors of the financial institution shall be subject to, and personally liable for, a civil penalty of not more than $10,000 for each violation. Also, fines in accordance with Title 18 of the United States Code or imprisonment for not more than five years, or both."
Future articles will further explore areas in which ISO offices are impacted by the FTC, as well as cover other federal rules and regulations.
David Mertz is the founding partner of Compliance Security Partners LLC. He has spent the last four years working with merchants and service providers to meet Payment Card Industry Data Security Standard compliance. For more information, e-mail firstname.lastname@example.org.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.