Thursday, December 25, 2008

Countering Credit Card Fraud With a Cool Head and Common Sense

In March 2008, Maine-based supermarket chain Hannaford Bros. admitted that credit and debit card numbers were stolen from its systems during the authorization transmissions. In what the Massachusetts Bankers Association (MBA) called a "large retail data security breach," over 4 million credit and debit card numbers may have been taken. By the beginning of April, nearly 2,000 instances of fraud had been reported as a result of the breach.

"We sincerely regret this intrusion into our systems," Hannaford Bros. President and CEO Ronald Hodge said at the time, "which we believe are among the strongest in the industry." In a "customer Q&A" document posted on its website, the company insisted that its security measures were "above and beyond" industry standards.

For its part, the MBA released a statement assuring New England consumers "that this was not a problem caused by banks."

The security went "above and beyond." The banks were not at fault. So who, then, is responsible for protecting the customers' credit card information? And what exactly were these standards that Hannaford Bros. went "above and beyond"?

You are responsible, period

It's simple: If your firm handles a customer's credit card transaction, you are responsible for protecting the information. The standards to which Hannaford CEO Hodge was referring are embodied in the Payment Card Industry Data Security Standard (PCI DSS).

For small and medium-size businesses (SMBs), compliance costs are proportionately higher than for Fortune 500 firms, and "regulatory burden" is a familiar (and unpopular) concept. However, as a comprehensive standard designed to help businesses proactively protect consumers, the PCI DSS is a good investment. With over $3 trillion in credit card purchases in 2007, there is a lot of protecting to do.

Like other payment processing companies, SecureNet Payment Systems and Sage Payment Solutions both have very "safe" sounding programs, Credit Card Vault and Sage Vault, respectively. The programs allow you to store credit card, electronic check and other sensitive data in a secure, reliable, PCI-compliant environment without having to store this data on your local servers. The technology can be seamlessly integrated into your current applications. But the real solution involves "low-tech," too.

First line of defense: awareness

In this web-wild, computerized world, it is easy to fall into the trap of thinking that all the thieves' tools are high-tech, as are the precautions and defenses. Not so, according to Ricardo Harvin, website development manager for the U.S. Chamber of Commerce. "Despite the real threat of theft by outsiders," he writes in Uschambermagazine.com, "in most cases when company information is stolen, it involved either someone working for the victimized company or a nonemployee who has access [to] that data."

Protecting your customers and their credit card data is a multifaceted endeavor. Depending on the nature of your business, it can include analysis of Web assets, database design and administration, network access control and more. It may seem a daunting task, but you will go a long way toward safeguarding your customers and your business by

  • cultivating a company environment of alertness and care;
  • having strict, enforced policies for card processing;
  • storing only the data you need, only for as long as you need it, and offsite if possible;
  • providing access to customer data only as required to transact business; and
  • maintaining both high- and low-tech security measures.

It is a combination of technology and common sense that will help your business avoid fraudulent transactions. The role of merchant today is more complicated, certainly, but you are not alone in this challenge. Small-business associations and industry trade groups can be a great source of information about what is working for other businesses like yours. And there is one more underutilized tool: pressure tactics.

MasterCard is now publishing the interchange tables, the byzantine formulas and rate structures that set merchant processing costs. According to a study by Amy Dawson and Carl Hugener of Diamond Management & Technology Consultants*, "Once transparency comes to credit card pricing models ... merchants will use the information to force an unbundling of interchange fee structures. The interchange structure as we know it will disappear." (Report is titled, "A New Business Model for Card Payments.")

SMBs can use their aggregate strength to force some overdue revisions of the pricing structure of credit card processing. Once a candid, open negotiation on these matters can commence, savings in this area can be redirected to creating ever safer systems, onsite and off, for the protection of your customer's credit card accounts.

This article provided by Scott McQuarrie who has devoted a lifetime to developing his world-class expertise in electronic security, video surveillance and the myriad technologies involved in both fields. His firm has its major web presence at Video Surveillance Systems, although he maintains several other security related websites.

Scott has a comprehensive knowledge of the design and installation of large commercial video surveillance, alarm and card access systems, which made him a top professional at Honeywell. Among his numerous accomplishments, then and since, are the complete system design and project management for various universities, prisons, airports and corporations. Top clients have included Lockheed, L3, ATK and 3M.

In 1990 Scott founded his first security company, going on to build several security-related firms into regional and national powerhouses over the years. In 2000 he turned his focus to the Internet, which opened up a national and international market for his talents. Scott has other security related websites, including Security-Guy.com, which you can visit for more information.

1 comment:

Unknown said...

Voltage also offers a solution for securing sensitive data that's really changing the game. It's called Format-Preserving Encryption (FPE) and it lets orgs effectively protect the data they hold without moving it around. Per it's name, it preserves the format of encrypted data and protects at the data level. So not matter where that data goes or how it's used, it's always protected. Learn more at http://www.voltage.com/technology/Technology_FormatPreservingEncryption.htm