taying compliant with card Association rules and regulations is increasingly challenging. But there's a bright side. The situation offers merchant level salespeople (MLSs) opportunities to separate themselves from the pack.

The compliance world's latest development is Visa U.S.A.'s Account Data Compromise Recovery (ADCR) requirements. The ADCR program became effective Oct. 1, 2006. It offers card present merchants additional protections, as well as additional responsibilities, in the event of a security breach. It requires merchants to know, in detail, what they must do if a breach occurs.

The ADCR ties directly back to the Payment Card Industry (PCI) Data Security Standard, which prohibits merchants or their agents from retaining or storing the complete contents of magnetic tracks after bankcard transactions have been authorized.

The CAMS connection

Central to the ADCR is the Compromised Account Management System (CAMS). It is used to notify all issuers whenever their card data has been compromised. CAMS works as follows:

• When a merchant becomes aware of a breach, he notifies the acquirer immediately.
• The acquirer then uploads the compromised data to the CAMS system at Visa.
• Visa investigates the matter. If Visa determines a compromise has occurred, it sends an electronic message to all affected issuance banks, alerting them that certain cards have been compromised.
• The issuers immediately block, terminate or monitor the accounts affected.

The ADCR in action

All merchants who accept cards in the card-present environment should never store or retain magnetic track information after authorization has occurred. Otherwise, they will open themselves up to significant liability.

The ADCR process consists of a number of steps. In brief, they are as follows:

• Visa determines if a data compromise meets ADCR requirements. These are a) the full content of any magnetic-stripe track was retained or stored after the merchant obtained authorization; b) more than 10,000 U.S cards were involved; and c) incremental, magnetic-stripe counterfeit fraud was attributable to the compromise.
• Visa determines the potential ADCR liability and informs the acquirer. The acquirer has 30 days to appeal to Visa, using appropriate documentation.
• Following confirmation and appeal, if any, Visa calculates the amount of money due from the acquirer to be transmitted to each issuer institution impacted by the compromise.
• The acquirer notifies the merchant involved as to his liability and the terms and conditions that apply. The time within which liability can be assessed to merchants is called the "compromised event window." It can extend for up to 13 months and may include the 12-month period before the CAMS notification.

Baseline magnetic-stripe fraud is the expected dollar amount of fraud that would likely have occurred during the event window if the compromise had not happened.

The baseline amount is subtracted from the total magnetic-stripe fraud that actually occurred during the event window. This establishes the incremental fraud, which drives the amount of money for which the acquirer and, ultimately, the merchant are responsible.

Risk reduction refinements

Concerns about the integrity of cardholder data security continue to evolve and increase. Data storage in any format offers potential thieves significant opportunity. It also exposes the entity responsible for data integrity to considerable risk and liability.

Remember, Visa set forth new merchant categories in July 2006 (see "Put this on blast: Visa modified its PCI criteria," by David H. Press, The Green Sheet, Aug. 14, 2006, issue 06:08:01).

Also, all service providers and merchants who obtain, store or transmit cardholder data must be compliant with PCI Version 1.1, which was introduced in September 2006 (see "New council advances PCI," The Green Sheet, Sept. 25, 2006, issue 06:09:02). In addition, a significant number of notices and security alerts have been issued in recent months.

Must-dos for merchants

Encourage all merchants and service providers to do the following:

1. Comply with PCI Version 1.1 requirements that are specific to their circumstances.

2. Never store magnetic-stripe information after a transaction has been authorized. This is an absolute. There should be no exceptions. If a merchant or service provider is PCI-compliant and is storing data in an area that falls under the security requirements (both electronic and physical) of PCI, a limited amount of magnetic-stripe data may be retained. These are account number, expiration date and account name.

3. Evaluate all active and pending payment applications. Make sure each application is consistent with current regulations and that merchants employ Payment Application Best Practices. These are a codified set of recognized standards. They can be found on a number of Web sites, including Visa's ( www.usa.visa.com).

4. If a breach or security disruption pertaining to card data occurs, immediately report the event to the appropriate parties. Acquirers must be informed of all breaches pertaining to them within 24 hours or less. And remember, the period for measuring financial liability under ADCR can extend to 12 months before the event.

It is also important to emphasize that at least 42 states and the federal government have specific reporting requirements. Failure to comply with all reporting requirements can result in both civil sanctions and, in a limited number of cases, criminal prosecution.

5. Fully understand the financial, civil and criminal liabilities that may extend to merchants and service providers if a security breach occurs. This includes the period affected by the ADCR rules and the calculation of the liability above baseline fraud that will extend to the merchant.

In short, card-present merchants who fail to follow the rules will lose a lot more than the game.

Ross Federgreen is founder of CSRSI, The Payment Advisors, a leading electronic payment consultancy specifically focused on the merchant. He can be reached at 866-462-7774, ext. 23, or rfedergreen@csrsi.com