Q. A customer asked me what our store is doing to protect hackers from stealing her credit card information. How should I approach data security?
A. Media reports of stolen credit card numbers and other customer data
have raised consumer awareness of data security. Retailers would be
wise to understand data security and be prepared to answer customers’
questions.
Increasing the attention to data security is the announcement of a relatively
new industry standard: the Payment Card Industry Data Security Standard
(PCI).
Visa and MasterCard have had data security programs for years; in late
2004 their programs were
combined and streamlined, and other major credit card associations have
adopted them as well, under the new name of PCI Data Security Standard.
The new wrinkle: Visa and MasterCard now expect merchants to verify that they are complying, although in practice this will require action only from mid-sized and large merchants (those that process more than 20,000 Visa transactions annually). These merchants are required by Visa and Mastercard to verify by June 30 that they comply with PCI.
Most retailers—and most MRA members—are too small to be the target of either data hackers or the card company’s vigilance. Your store is very likely to be fully compliant with these data security standards already. Nevertheless, it is wise to be familiar with them.
PCI is a list of 12 standards that retailers and other businesses that handle credit card data must meet. It sets technology requirements such as the use of data encryption and network firewalls, as well as controlling, monitoring and logging access to data. It mandates establishing and maintaining formal security policies and vulnerability management programs (for example, using anti-virus software).
If your business is relatively small and uses self-contained terminals, such as the Verifone Omni series, without any interface to the Internet—which is where most data security issues become complex—your data security concerns are small.
If you sell merchandise on the Internet, you should pay closer attention to the PCI standards, but it is still likely that you already comply if you use a secure shopping cart service and SSL (secure sockets layer) to protect customer data sent over the Internet.
To understand the big picture on data security and to check whether you are in compliance with PCI, read the guidelines yourself and take the self-assessment questionnaire that Visa requires for mid-sized and large merchants. Knowing more will also help you answer customers’ questions more fully and accurately.
Both the PCI data security standard guidelines and the self-assessment questionnaire are available at the card associations’ websites (try https://sdp.mastercardintl.com/ or http://usa.visa.com/ and search for PCI).
Business-to-business service providers and software vendors will be working “PCI-compliant” into their sales pitches. A firm offering to perform PCI network scans for your store may contact you about becoming “PCI compliant.”
Depending on your store and your technology, the service or software may or may not be valuable. If you process more than 20,000 Visa transactions annually, Visa requires a quarterly network scan by a PCI-qualified vendor.
Do you have a retailing question? Ask the Michigan Retailers Association
by mail: 603 South Washington
Avenue, Lansing, MI 48933;
by fax: 517.372.1303;
by e-mail: mra@retailers.com.
