Menu Content/Inhalt
Home arrow Information Security arrow PCI/CISP Credit Card Security for Business Owners
PCI/CISP Credit Card Security for Business Owners | Print |  E-mail

What lessons can business owners learn from CardSystems, BJ's Wholesale Club & CartManager?

Image 

As a business that accepts credit cards, do you know what your responsibilites are?

Raj Goel, CISSP, CTO Brainlink International, Inc.

  / 917-685-7731

Lessons learned

  1. PCI/CISP compliance is mandatory for all merchants that accept any form of credit, debit or bank card. There are no exceptions.

      • Penalties for non-compliance are hefty.

      • Not only will it cost you penalty fees, it could cost you significant loss of business.

      • VISA and Amex have terminated their relationships Card Systems

      • BJ's faces lawsuits totaling millions of dollars

  2. The FTC, private plaintiffs and lawyers pose additional threats.

  3. Your business may be subject to additional state and federal laws as well.

  4. Auditing is not compliance.

      • Compliance is a daily process, and frame-of-mind, that strives to keep you business from running afoul of the regulations.


Brainlink stands ready to assist clients in reducing security threats and meeting compliance requirements for PCI/CISP other information security (HIPAA, SOX, GLBA, etc.) standards.

The examples below illustrate the different types of non-compliance risks businesses face.

1. PCI/CISP Non-Compliance

The CardSystems Solutions (40 million credit cards compromised) breach has already resulted in a class-action lawsuit against CardSystems, Visa, MasterCard and Merrick Bank, of Utah. What's interesting about this lawsuit, is that the case was filed in California, by a California law firm, representing California plaintiffs against financial firms in Arizona, California, New York & Utah. This means, businesses across the country face risk of litigation in the event of a security breach.

A risk that most businesses is collecting and storing unnecessary data. As reported in a June 20, 2005 New York Times article,

The chief of the credit card processing company whose computer system was penetrated by data thieves, exposing 40 million cardholders to a risk of fraud, acknowledged yesterday that the company should not have been retaining those records.

In our experience, most businesses store unnecessary data, or collect far more data than is necessary.

2. Information Security Non-Compliance

BJ's Wholesale Club's network was broken into and customer records were compromised. To date, BJ's has settled with the FTC and still faces lawsuits from banks with claims amounting to approximately $ 13 million.

The FTC charged that BJ's engaged in a number of practices which, taken together, did not provide reasonable security for sensitive customer information. Specifically, the agency alleges that BJ's:

  • Failed to encrypt consumer information when it was transmitted or stored on computers in BJ's stores;

  • Created unnecessary risks to the information by storing it for up to 30 days, in violation of bank security rules, even when it no longer needed the information;

  • Stored the information in files that could be accessed using commonly known default user IDs and passwords;

  • Failed to use readily available security measures to prevent unauthorized wireless connections to its networks; and

  • Failed to use measures sufficient to detect unauthorized access to the networks or to conduct security investigations.

3. Privacy Policy Non-Compliance

Vision I Properties, LLC DBA CartManager International, an outsourced provider of ecommerce & shopping cart services, which recently settled with the FTC regarding charges that it “rented” personal information about merchants' customers, in violation of it's privacy policies. As a business owner, are you aware of your privacy policies? Do you rent outsourced ecommerce solutions? Do their privacy policies (or lack thereof), put your business at risk?


Security Overview

It is important to recognize that merchants do not exist in a vacuum, and credit card acceptance is just one component of a successful business. Depending on the nature of the business, other risks must be managed as well. For example, health care institutions (hospitals, medical clinics, doctors' offices, diagnostic labs, etc.) must adhere to HIPAA privacy and security regulations as well.

Businesses from Real Estate agencies to automobile dealerships to money transfer agencies to certain types of ecommerce applications may face Gramm-Leach-Bliley (GLBA) compliance as well.

Following the PayMaxx, Choicepoint, LexisNexis breaches, several states have proposed legislation regarding information collection, ID Theft and customer privacy issues. As these state (or federal) laws come into effect, it will become even more important that business owners engage in a comprehensive, organization-wide security auditing and compliance program.


PCI/CISP Overview:

From the Visa.com website - http://usa.visa.com/business/accepting_visa/ops_risk_management/cisp.html:


When customers offer their bankcard at the point of sale, over the Internet, on the phone, or through the mail, they want assurance that their account information is safe. That’s why Visa USA has instituted the Cardholder Information Security Program (CISP). Mandated since June 2001, the program is intended to protect Visa cardholder data—wherever it resides—ensuring that members, merchants, and service providers maintain the highest information security standard.

CISP compliance is required of all merchants and service providers that store, process, or transmit Visa cardholder data. The program applies to all payment channels, including retail (brick-and-mortar), mail/telephone order, and e-commerce.

CISP Compliance Penalties

If a merchant or service provider does not comply with the security requirements or fails to rectify a security issue, Visa may:

  • Fine the acquiring member

  • Impose restrictions on the merchant or its agent, or

  • Permanently prohibit the merchant or its agent from participating in Visa programs

Members receive protection from fines for merchants or service providers that have been compromised but found to be CISP-compliant at the time of the security breach. Members are subject to fines, up to $500,000 per incident, for any merchant or service provider that is compromised and not CISP-compliant at the time of the incident.

Last Updated ( Thursday, 06 April 2006 )