One of the most unfortunate, insidious and shocking events that can take place in the course of operating your business is theft of your customer’s credit card data and a breach in the overall security that is meant to prevent its misuse or loss to criminals. As a merchant, the dire ramifications of such a security breach, unfortunately, lie squarely on you. When this kind of security breach does take place, merchants can easily incur heavy fines and, ultimately, may well lose those credit card processing services that support their very businesses.
As a merchant operating in today’s electronic media-, information- and storage-driven age, understanding the rules and regulations for credit card data security will not only help you protect your livelihood and business, but will ensure the loyal customer base that assures your survival.
New Standards, Old Wisdom
All of the major international credit card issuers, such as MasterCard, Visa, American Express and Discover, have come together in order to create a new set of uniform security standards that are called the Payment Card Industry Data Security Standards or PCI DSS. Adhering to the Payment Card Industry Data Security Standards is now mandatory for all merchants and merchant account service providers that control, transmit, accumulate or process information regarding any of the credit cards or related credit card data of these companies. If a business is not compliant, it may easily face monetary penalties or have its credit card processing privileges suspended or revoked by the credit card associations.
Today, card data is primarily collected, confirmed, stored and transferred in the virtual online domain of the World Wide Web. The overall operation is a truly rapid and money-saving process when one considers the incredible volume and variety of payment processing data that must be dealt with continuously. On the other hand, the online nature of this process also allows a staggering number of opportunities for criminals to explore, and worse, to exploit. Online computer hackers regularly attempt to circumvent security measures and steal credit card account details and information, which are then used later for fraudulent sales transactions made by the criminals or sold to other criminals.
Merchants and their credit card payment processors are required to implement strict security measures, such as the PCI DSS, to protect this very sensitive and unique credit card and cardholder data. They should enhance these procedures with the accumulated knowledge of standard business and personal security measures – restricting access to computers with sensitive data, using passwords and user names, locking up any paper copies of important data and so on. There is, however, always the distinct possibility that something may go awry. If a merchant or a merchant processing company suspects or has confirmed that their payment data security system and private credit card information has been breached, they should take these measures right away:
The merchant or credit card processing company should immediately control and minimize the exposure of their lost information. Card processing service providers and merchants should immediately begin an investigation as to what exactly has happened and what data has been stolen or otherwise jeopardized.
Additionally, merchants should specifically follow a few crucial procedures. Before you get started, be sure to clearly document all of the actions that are about to be taken. Record everything that you can in the form of notes, interviews with customers and employees, and even pictures and “computer screenshots.” Also, save as many of the security logs as possible, as well as all other information that can be employed as evidence in the security investigation.
Immediately contact all parties who you think are or may be directly involved in the security breach. As a dutiful merchant, you should provide details of what happened and of your responses, to the your company’s security group or legal department, your merchant processing account provider and the local Federal Bureau of Investigation field office that deals with financial sector crimes.
First of all, as a merchant, do not attempt to access the security systems that were compromised. This may alert hackers or create additional information that makes it hard for investigators to determine who did what. Merchants should also not change any security log-in details at all at this point.
Secondly, be sure to keep the compromised security system up and running. However, you should unhook the cables that connect the security system to the rest of your network and related operations.
Finally, if your company uses a wireless computer network, be absolutely certain to change the network access codes and the actual name of the network on the access point. At that point, you can adjust all of your computer systems accordingly with the exception of the compromised ones.
In a case of a security breach, your credit card processing company, along with the credit card associations, will assess the situation in great detail and review all of the actions required to insure satisfactory protection against future losses or theft of crucial credit card transaction information.