A Thing
The Green SheetGreen Sheet

The Green Sheet Online Edition

July 23, 2018 • Issue 18:07:02

If you see something, speak up

By Dale S. Laszig
DSL Direct LLC

Most of us would like to leave our jobs behind when on vacation, but that's not easy for payment pros. Every time we walk into a store, open a mobile app or shop online, we're reminded of our industry. These reminders can be exciting or cringeworthy, depending on the circumstances. Here are some examples (I'm sure you can think of many more):

  • Exciting: to see checkout evolve from three acts (payment presentment, authorization and close) to one act. When we exit an Uber or Amazon Go store, payments magically happen.
  • Cringeworthy: to see noncompliant equipment in a checkout lane. EMV (Europay, Mastercard and Visa) guidelines became effective in 2015, making merchants without chip card readers 100 percent liable for a security breach.
  • Exciting: to see available points, cash, rewards, coupons and credit cards on a checkout screen and be able to pay in any combination. These options are widely available on mobile wallets and ecommerce sites.
  • Cringeworthy: to be asked for multiple forms of identification while people fuss and fidget behind us in the checkout queue, because the merchant doesn't use available technologies to securely authenticate users in seconds.

The pillow case

Last year, a sales associate at a furniture store offered to lend me a pillow. She said, "I'll write your credit card number on this receipt and bill you if you don't bring it back." When I expressed concern about exposing my credit card data, she offered to tear up the receipt or give it back when I returned the pillow. The following day, as promised, she retrieved the receipt from a locked safe behind a service counter and returned it to me.

In subsequent discussions with security analysts, I learned that writing a credit card number on a piece of paper does not violate the Payment Card Industry Data Security Standard (PCI DSS). It's what happens afterward that determines whether the merchant is complying with PCI DSS guidelines.

"Merchants want to be friendly and allow their customers to take a pillow home," said Matthew Halbleib, audit director at SecurityMetrics. "They need to design a process that allows employees to do this." Halbleib pointed out that PCI DSS version 3.2.3 disallows storing "sensitive authentication data," which the PCI Security Standards Council defines as post-authorization card data.

"Sensitive authentication data must not be stored after authorization, even if encrypted," states page 8 of the PCI DSS 3.2.3 manual, published in May 2018. "This applies even where there is no PAN [primary account number] in the environment."

Physical and virtual security

Chris Bucolo, director of market strategy at ControlScan Inc., said there are understandably many concerns about the more technical aspects of PCI and data security, but in reality, many PCI DSS requirements are procedural in nature, and payment pros do not need IT knowledge to understand and address them. Physical security and procedures are just as important as those relating to the network and electronic processing aspects, he noted. The key is to weigh convenience issues with security risks and look for ways to protect customers while delivering a seamless, enjoyable customer experience.

Referring to the salesperson's offer recounted above, Bucolo added, "The practice the sales associate described may not have sounded so concerning had she said, 'We have a very clear and strict policy/procedure we follow internally,' and offered more details about how the store protects the data." He provided the following examples:

  • We protect the data by keeping it locked in a special fireproof cabinet that is also behind a locked door. Only a few key people have access.
  • When you return the item we go in that cabinet and retrieve the receipt the same day, and we use a cross-cut shredder to destroy any evidence of a card number.
  • We do not allow the information to be recorded or kept anywhere else.
  • If the consumer does not return the item, we process a card transaction on our system and then follow the same destruction procedure for the receipt.

Follow the (card) flow

Halbleib said companies need to define their cardholder data environments, first by identifying all the places where data flows, then by applying controls around those card flows. When an employee creates a cardholder data flow that no one in the organization has heard about, it can jeopardize an organization's status and security posture, he said.

Halbleib suggested maintaining open lines of communication among employees and managers. This way, when an employee identifies a potential new card flow, a business owner and IT manager can make a business decision about how to handle that data.

Merchants and business owners have to control access to customer data after they take it, he stated, adding that this might entail storing receipts in tamper-evident bags and keeping a record of receipts that were turned over to a manager or picked up by a courier. "Auditors will look at whoever had access to the card data," he noted. "I appreciate all the honest clerks out there who don't steal your data, but we need a very established process to protect employees, businesses and consumers."

Self-regulating payments

Sandy Travers, co-founder and co-CEO at DigiPay Solutions Inc., tries to educate merchants about the nuances of PCI requirements. "Sometimes I have to tell merchants why I don't want to handwrite my credit card on a piece of paper," she said. "This has even happened at large, established companies."

Travers recently offered to save a merchant money by providing free card readers to his fleet of service delivery people. "You can't have employees driving around with credit card numbers in their vans, because it violates payment card industry rules," she said. "Besides, you're paying card-not-present rates when you manually enter credit card data. My free card readers would make you eligible for card-present rates."

Banks and processors are getting tough on fraud and data security breaches, which increases the merchant's cost of doing business, Travers noted, adding that when PCI drives up costs, it all goes down stream in the form of higher consumer prices. "We need to be a self-regulating industry and not look the other way when we see something wrong," she said.

end of article

Dale S. Laszig, Senior Staff Writer at The Green Sheet and Managing Director at DSL Direct LLC, is a payments industry journalist and content provider. She can be reached at dale@dsldirectllc.com and on Twitter at @DSLdirect.

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

Prev Next

Current Issue

View Archives
View Flipbook

Table of Contents

Company Profile
New Products
A Thing