"Do You Take Credit Cards?"

Learn how your organization can prevent credit card casualties that could cost you credibility and money.

It's a question on the minds of consumers everywhere, especially as they make their way through crowded malls or to online shopping carts this busy holiday season: "Do you take credit cards?" If you're like most businesses and associations, your answer is yes—and there are a lot of new credit card security requirements you need to know about to ensure a safe and secure environment for your in-store and online customers. Even if your answer is no, read up on these latest requirements—they will provide you with the information you need to know before booking your holiday travel or making any other online purchases.

The Facts

Identity theft results from non-secure business transactions every minute of every day. Whether collecting credit card data from customers online or in physical stores, companies must take steps to ensure the security of consumers' private information and prevent identity theft and fraudulent transactions.

• The U.S. Federal Trade Commission's Consumer Sentinel reports that, in 2005, credit card fraud was the most commonly reported form of identity theft, accounting for 26 percent of all cases of identity theft. (Source: http://www.consumer.gov/sentinel/)
• In a January 31, 2006 study, the Better Business Bureau (BBB) estimates that the identities of 8.9 million U.S. adults will be stolen in 2006, costing $56.6 billion. In the same study, the BBB finds that approximately 43 percent of victims' identities were stolen as a result of business or online transactions. (Source: http://www.bbb.org/Alerts/article.asp?ID=651)
• In one incident in July 2005, approximately 40 million credit card accounts were exposed to potential fraud as a result of a security breach at a third-party processor of payment card transactions. In a matter of hours, hackers exported the names, card numbers and card security codes for nearly 200,000 accounts. (Source: http://money.cnn.com/2005/06/17/news/master_card/index.htm)

Tougher Standards

As a result of a long line of data security breaches in 2005, the main credit card companies—American Express®, Discover®Card, MasterCard® and Visa® U.S.A.—created a series of stringent requirements designed to protect cardholders and the businesses that accept credit cards. Together, these requirements, released in January 2006, form the Payment Card Industry (PCI) Data Security Standard and govern the safekeeping and destruction of account information, as well as the use of agents or third parties in maintaining this information and reporting any security incidents.

The PCI requirements are organized in four distinct levels of online merchants, such that requirements and compliance mechanisms escalate with the company's number of annual transactions.

• Level 1 merchants process more than 6 million Visa® transactions each year—online or otherwise—or have suffered a hack or other security breach that caused data to be compromised. These merchants are required to undergo an annual onsite security audit and to complete a quarterly network scan. The company audit must be performed by a certified auditor. The network scan must be conducted by a qualified independent scan vendor.
• Level 2 merchants process between 1 million and 6 million Visa® transactions online per year. These merchants must complete an annual PCI self-assessment questionnaire and complete a quarterly network scan. Compliance must be validated by a qualified independent scan vendor and by the merchant.
• Level 3 merchants process between 20,000 and 1 million Visa® transactions online per year. These merchants must meet the same set of criteria as the Level 2 merchants. They must complete an annual PCI self-assessment questionnaire and complete a quarterly network scan. Compliance must be validated by a qualified independent scan vendor and by the merchant.
• Level 4 includes all other merchants, regardless of the quantity of their online or in-store transactions. It is strongly recommended that these merchants complete an annual PCI self-assessment questionnaire, as well as an annual network scan, but neither is required to be validated by a certified party.

Why Comply?

Failure to comply with PCI regulations can result in significant fines from the PCI Data Security Standard (as much as $50,000 for a first offense and $100,000 thereafter), as well as the cancellation of payment processing capabilities. But, at the heart of the PCI standards are basic tenets that should govern the behavior of any quality corporation—make sure your internal network and system components are secure and intact; protect your consumers and your employees; guard your credibility.

"As more and more of the general public uses credit cards for auto payments, business-to-business payments and more, it is crucial that consumers have a sense of security," says Katherine Novikov, CEO of Diamond Mind, Inc., a niche credit card processing company. "These new regulations provide that security, and they are here to stay."

"Complying," Novikov continues, "is a form of superior customer service. To fail to do so would be to risk great embarrassment, as well as a loss of consumer confidence should a problem arise."

Getting Started

Optimal Networks has created an online information technology survey that will allow you to assess the overall security of your network. While this self-assessment is not a substitute for the questionnaire required by the PCI standards, it is a proactive tool that will help you to identify and suppress security problems before they occur. Optimal Networks can assist you in filling out this PCI self-assessment, and can also help you in taking stock of the security measures you currently have in place. Take the Optimal Networks survey.

If you have a question regarding any of the information contained within this article or would like a comprehensive network security analysis for your organization, please contact Optimal Networks at 240-499-7900 or email This e-mail address is being protected from spambots. You need JavaScript enabled to view it .