CARD NUMBERS: protect them or…!
Who isn’t concerned these days and cautious about identify theft and misuse of payment card account numbers? In 2016, 15.4 million consumers lost $16 billion; up from $15.3 billion lost by 13.1 million consumers in 2015. “The overall fraud incidence rose 16% to affect 6.15% of U.S. consumers, from 5.30% in 2015 — the highest on record.” This, according to the 2017 Identity Fraud Study from Javelin Strategy & Research! In a previous study, Javelin indicated that, “Businesses and financial institutions are more susceptible than ever to leaks, cyber-attacks, malware, and data breaches.”
In high-risk settings, such as businesses that electronically store customers’ cardholder data, privacy of data is a serious issue.
WHAT IS DATA SECURITY?
Is your electronically stored data protected against intentional and unintentional corruption and unauthorized access and use? Data security, in general, refers to ways of maintaining its integrity, security, and privacy and preventing undesirable outcomes.
WHAT IS THE PAYMENT CARD INDUSTRY DOING ABOUT IT?
In response to a growing threat to the privacy and security of cardholder data, Payment Card Industry Data Security Standards (PCI/DSS) have been developed, “to help facilitate the broad adoption of consistent data security measures on a global basis.”
Compliance with PCI/DSS is mandated for all businesses and organizations accepting electronic payments or storing, processing, or transmitting cardholder data. This includes eCommerce web-sites, retailers, financial institutions, merchants, and service providers. Compliance requirements vary, depending on the annual number of payment card transactions a firm processes per year and its data security history, and range from a simple annual on-line survey for small-volume organizations to periodic on-site audits for the largest firms.
WHAT CAN COMPANIES DO NOW?
Companies can always do more to protect sensitive data against identity theft.
For instance, some perpetrators feed on the ‘Account on File,’ extracting bank account and credit card data which is then used to open fraudulent accounts.
If your firm allows its customers to create and maintain an ‘Account on File’ to be used with subsequent purchases and re-orders, or if it otherwise stores sensitive cardholder data, it can use tokenization to protect its customers. Tokenization substitutes meaningless data elements–tokens–for sensitive data which is stored off-site; usually in secure, third-party storage facilities.
Data security, which builds customer confidence, is something to be addressed early-on and can be facilitated by compliance with payment card industry standards. Many companies have found these to be a welcome guide to meeting their own data security objectives.
Complete information about the Payment Card Industry Council, its standards, Qualified Security Assessors, and Approved Scanning Vendors, is available at www.pcisecuritystandards.org.
Editor’s note: This post was originally published in July, 2011, and has been updated with currently relevant data.