These three letters could
put you out on the street

Welcome to a new column written by John Mayleben, MRA’s vice president, technology and product development, to help members understand various issues in the electronic transaction arena. You can contact John at jmayleben@retailers.com.

Among the many acronyms that fill the news today are several that business owners who accept electronic forms of payment should be aware of.

One such acronym is PCI (sometimes called PCI-DSS), which refers to the “Payment Card Industry Digital Security Standards.” This is the new “law of the land” for any merchant who processes transactions.

When you agreed to accept Visa, MasterCard or any other credit card as payment, you entered into a contract that obligates you to secure the data you collect for processing transactions. PCI-DSS details those security measures.

You already know how to handle cash securely and you teach your staff basic precautions as well. You would not leave the cash drawer open and walk away from the counter.

Now you need to start treating credit card data in a similar fashion. This data—card account numbers and expiration dates—are a valuable commodity and bad guys will try to steal them if they can.

While the PCI-DSS rules are lengthy, the basics that small businesses and retailers must understand are not quite so complex. Our advice for what retailers should be doing:

• Make sure that you are not, under any circumstance, storing the complete cardholder data after the batch is closed. From a card-processing standpoint, there is no reason you need this data on your system.

If you or someone in your business is collecting this data for other reasons, reconsider it. In my years of conversations with retailers from various industries, I have yet to see the need to keep this data for other reasons.

• Make sure that you control access to the system, just as you do your cash drawer. Whether it is a stand-alone terminal or a complex POS system, no unauthorized people should be accessing your system. A thief can quickly install a small device on a terminal that will compromise the security of your system.

• Make sure you are aware of all the places credit card data can collect in addition to your credit card terminal. If you take card numbers over the phone, is the phone call recorded? That recording is a data collection point as well. Internet transactions in which card data is collected, likewise, must be treated with the utmost security.

If you don’t take time to understand the impact of these issues on your business, it could put you out of business. I know of a merchant—thankfully not one of our members—who had a data breach that exposed just 20 card account numbers.

The fine from the card associations for the breach was $50,000. The merchant lost the entire store because of this lapse in security.

More detailed information about PCI-DSS is available at MRA’s website, retailers.com, under the Security subheading of “Ask Michigan Retailers.”