By Aaron Bills
Online fraud resulting from card data breaches is a serious problem. Forrester Research estimates that data theft costs merchants about $90 to $305 per stolen record. Considering the increase in data compromises and their resultant business impact, merchants must carefully examine the rationale for storing credit card numbers internally.
As ISOs and merchant level salespeople (MLSs), you know merchants need to protect sensitive customer data.
Recent trends indicate many retailers outsource card data storage to third parties. This strategy minimizes the possibility that a security breach or data theft will damage their operations and reputations.
Also, the cost to keep computer systems secure can become too expensive and time-consuming for many companies. Herein lies the opportunity to understand merchant requirements and assess available security options.
The underlying goal is the same: to help your clients avoid creating liability. Act consultatively. And remember, the more card data your customers store internally, the greater will be the consequences of breaches.
Following are five guidelines to assist your sales process and ensure that you suggest the best remote storage solution for each merchant.
Recommend service providers and solutions that are certified compliant with the Payment Card Industry (PCI) Data Security Standard or Visa U.S.A.'s Payment Applications Best Practices (PABP).
PCI and PABP define the framework for creating an organization's information assurance standard, as well as provide specific technical guidance in key areas.
For a merchant to be considered PCI-compliant, any service providers that store, process or transmit account data on behalf of the merchant must also be compliant. Briefly, the 12 requirements of PCI are split into the following groupings:
Merchants also need to understand their transaction processing volume because the certification/validation level is determined by total transaction volume. You can offer to work with merchants' acquirers; they determine the compliance validation levels for each merchant.
By suggesting that merchants use PCI-compliant solutions provided by security-centric companies, you will help merchants understand the importance of information assurance throughout the industry.
Counsel merchants to implement solutions that provide secure transfer of data from merchants to their service providers' remote PCI-certified data centers.
Commonly cited best practices include the following:
Advocate solutions that offer multiple levels of authentication for accessing stored data. A robust solution should include at least three of the following methods:
The use of multifactor authentication helps ensure that processing of sensitive data is conducted by authorized parties only.
Direct merchants to establish relationships with vendors offering platform-neutral software design. This cost-effective measure ensures that solutions will work with any host system and lets merchants retain their business processes regardless of changes in operating systems or software application.
Understand merchants' current business processes, and recommend appropriate storage options. For example, merchants primarily in the Web-commerce arena will need systems with real-time card access and transaction processing capabilities.
However, if merchants support recurring invoice payments (such as health club memberships) they may need a blend of real-time and batch data processing/data transfer capabilities.
Often, companies doing repeat billing are vulnerable to security breaches because, historically, they needed bankcard data on hand. However, with the release of new information security and storage capabilities, you can now offer merchants supperior solutions.
Aaron Bills is Chief Operating Officer and co-founder of 3Delta Systems Inc. E-mail him at firstname.lastname@example.org or visit www.3dsi.com for more information on secure data storage solutions.
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.Prev Next