ver the past two years, the media have been abuzz with news about financial data security leaks and identity fraud. We'd like to better understand the implications for the acquiring community, especially concerning ISOs and merchant level salespeople.

Perception (including the public's) plays a crucial role in our industry's reaction to recent events. With this in mind, and understanding that members of The Green Sheet Advisory Board represent different industry constituencies, we asked them the following questions:

1. How secure do you perceive your transaction processor to be vis-a-vis the industry as a whole?
2. Do you believe our industry takes threats of data security breaches seriously?
3. How do you perceive your organization's liability with respect to such breaches?
4. Do you provide in-house training on data security for your sales staff and/or merchants?
5. Do you think your merchants are engaged in necessary diligence with respect to the treatment of their customers' transaction data?
6. Do you believe it is appropriate, or even possible, for ISOs and processors to reserve against liabilities associated with data security breaches?
7. How familiar are you with the Payment Card Industry (PCI) Data Security Standard? Do you consider your organization to be PCI compliant? What about your clients?
8. Should there be some underlying criteria for evaluating PCI compliance? Because we asked a lot of questions, and responses were lengthy, we've divided this article into two parts. (Look for Part II in a future issue.) Following is the first set of GS Advisory Board member responses, in alphabetical order:

Data security is critical to the future of electronic payments. As the world's leader in electronic payment processing ... First Data is committed to safeguarding the integrity and confidentiality of our clients' data.

We employ numerous procedures to ensure that the information remains intact and confidential and that our systems are regularly tested. We offer and institute extensive data security measures throughout the complete lifecycle of the products and services we provide. We continually address our approach to data security to best avoid any type of threat to our customers and consumers.

We work with industry forums and government entities in education and solution offerings related to data security and fraud prevention. This includes a number of efforts from conducting Fraud Forums sponsored by the STAR Network and our participation in BITS, a nonprofit consortium of 100 of the largest financial institutions, to developing and managing an insider fraud prevention service.

First Data has systems in place to approach the highest levels of data security to help prevent breaches; however, we are also in a unique position to help thwart criminals who look to conduct fraud after the data are stolen. We take these actions in the interest of safer commerce.

First Data has dedicated many resources to understand and comply with PCI requirements. Entities that First Data owns, contracts with or connects to, that process, store or transmit cardholder information, are required to comply with PCI. First Data validates compliance via a corporate audit-contracted, PCI-approved assessor. First Data requires that vendors acting as a service provider or data storage entity demonstrate compliance with PCI.

In order to develop long-term and viable solutions to the issue of data security, all stakeholders, including consumers, the government and businesses, must share ownership and work closely to ensure safe and secure transactions while protecting consumer privacy.

Ben Goretsky, USA ePay

1. The transactions processed through the USA ePay system are processed in the most secure way. We always use a secure connection, and the key identification method for a transaction combined with an MD5 encryption algorithm makes it one of the most secure in the industry.

2. Do we as an industry take threats of data security breaches seriously? No. Should we? Yes. Threats can escalate to large attacks. Even though we have learned from past experiences of DoS [denial of service] attacks and identity fraud, the new hacks out there are a lot more dangerous.

3. We take every attempt into consideration. Liability is something we need to assume if our system encounters the breach. Most of the time, though, we have noticed that merchants' Web sites encountered attacks and breaches, and in those cases we cannot be held liable for a merchant or hosting company that has become irresponsible with security. On a gateway level, it is our responsibility.

4. We do provide training for our sales staff as well as for our resellers/ISOs so they can inform merchants.

5. It is the merchant's responsibility in respect to the treatment of sensitive data on a customer's transaction information to an extent. We still believe that if merchants are not informed properly by their reseller or merchant service bank then how can we expect merchants to know these responsibilities?

   On a gateway level, we always hear the line from the merchant "but we were never told." The merchant bank [also] needs to inform the merchant, set the laws, make the laws known, and then it is up to the merchant to follow these rules, regulations and responsibilities properly.

6. This is a very sensitive topic. We can't just go and freely point the finger and at the same time walk away from all responsibilities and liabilities. The gateway is liable for making sure merchants do not encounter a breach. The ISO is liable for making sure merchants are properly informed and educated about security and their responsibilities, and merchants are liable for making sure they follow these responsibilities set forth to them.

7. We were one of the first gateways to become PCI compliant. Merchants who use the gateway are compliant even though it gets tricky with merchants who store data and were not informed that they should not. We also offer our merchants proper security scanning from ScanAlert to make sure they are compliant.

8. There already are: the scan, the penetration tests, the onsite audits are all criteria which are currently evaluated for PCI compliance.

Jared Isaacman, United Bank Card Inc.

1. Having lived through the hell that the CardSystems Solutions Inc. security breach represented ... I know the insecure feeling of having a lot of merchants on an unstable processing platform. That being said, I am very satisfied with my current front-end network (Chase Paymentech Solutions LLC) ... I have seen their operation and understand the means by which they bring transactions into their platform. It is very secure, very stable and avoids third-party providers.

2. Perhaps not so much three years ago, but presently data security is a hot topic. ISOs and merchants of all sizes now have various forms of PCI guidelines that they must follow. Audits are even being required of organizations that don't touch the transaction. This is very positive as it makes all parties accountable and avoids gaps in the transaction flow that were not previously screened.

   I also believe that third-party processor registration with Visa and MasterCard is significantly more difficult, as is finding a member bank to sponsor you for that purpose.

   This makes it harder for smaller players to enter the business and begin taking on a great deal of responsibility like transaction processing. The last year especially has seen remarkable changes industry-wide on PCI enforcement, regular audits and greater entrance requirements in the third-party processor arena.

3. I believe every ISO's primary responsibility is to its merchant customers. If a data security breach occurs at your processing platform, you are immediately responsible for rectifying that situation, including converting merchants to a more secure platform. There are costs involved with this, and they can be quite significant.

   If data security results in a platform's being shut down before you have the opportunity to move your merchant customers, then that risks lawsuits from your merchants, sales offices, etc. These are all very real liabilities that can be avoided by choosing your partners in transaction processing carefully.

   Although United Bank Card is PCI compliant, we still do not touch any of the cardholder data or store it. As such, our exposure to any form of security breach is nonexistent. We have multiple firewalls, independent networks with no outside connectivity and advanced forms of encryption. A compromise of our network would be like a bank robber using the best drill to bust open a safe that had no money in it.

4. We do have extensive training for our customer service, technical support and risk management departments that have access to read-only and truncated credit card numbers. We also have high-level encryption of our merchant customers' personal information such as Social Security numbers and bank accounts. There is not a single piece of confidential or secure data that is stored in a plain text format on our networks.

5. We undertook a pro-active initiative with AmbironTrustWave and Discover Card to ensure that all our merchant customers were compliant. This included free network vulnerability scans of all our e-commerce merchants ... to ensure that those most susceptible to a security breach have proper systems in place to protect cardholder data.

6. I think these reserves are already in place. The top of the food chain (next to the banks) in the payment processing world are the BIN [bank identification number] holders and third-party processors. They all put up significant reserves and pay ongoing sponsorship fees to cover the liabilities of a sponsor bank.

7. Not only have we been compliant with the principles of PCI for years, but we have also undertaken the full audit as if we were a front-end platform, even though we do not touch the flow of transactions.

Joe Natoli, Retriever Payment Systems

1. Very secure on levels 1, 2 and 3, as direct requirements by the card Associations are strictly adhered to. Level 4, which is left up to the merchant, is less than realistic in assuming that each acquirer can contact each level-4 merchant and determine whether any of the operating procedures, hardware or software have changed in the past 30 days. I believe systems integrators should be responsible for level-4 merchant compliance.

2. Yes, very seriously.

3. I believe the card Associations have shifted an unfair percentage of liability to the acquirer. Once the merchant is set up, it is difficult for the acquirer to control or closely monitor any changes that a merchant, value-added reseller or hardware provider may institute.

4. Yes, we have also added questions to our application that would help further enhance the technology set up at the merchant's location during the time of boarding.

5. Some are; however, I do not believe today that all merchants fully understand the ramifications of handling cardholder data, even though many acquirers, including Retriever, make it a priority to explain what they may or may not do when setting up their account.

6. No. There is no predictable way of reserving against the liability of the potential magnitude a cardholder data breach can cause.

7. We are very familiar. We have undergone a full SAS 70, BIG 4 Financial and System Audit, and a full PCI audit and certification.

8. Yes. In addition to volume and transactional size, [there should be] a technology component whereby merchants on secure dial-terminal technology are exempt.