FTC Studies Credit Card Data Security Compliance
The Federal Trade Commission (FTC) launched an investigation into the methods used by companies to determine credit card data security compliance with the Payment Card Industry Data Security Standards (PCI DSS). The agency issued a directive to nine of these companies including PricewaterhouseCoopers LLP, SecurityMetrics, and Verizon Enterprise Solutions (aka CyberTrust). These companies have 45 days to respond.
The FTC is “seeking details about the assessment process employed by the companies, including the ways assessors and companies they assess interact; copies of a limited set of example PCI DSS assessments, and information on additional services provided by the companies, including forensic audits.” Simply put, they want to ensure customers information is kept safely and securely, and that companies are doing their best to facilitate consumer privacy and protection.
What is PCI DSS?
In 2004, the major card carriers – Visa, MasterCard, American Express, Discover and JCB unified their security standards and applied it throughout the industry. The standards have not been signed into law, and though non-compliance is not a crime, non-adherence can lead to significant liability. It is intended to ensure that companies protect customer’s sensitive data and private information. Card-issuing companies of retailers, and businesses processing more than a million card transactions annually, are subjected to PCI DSS audits.
The organization provides educational information to the public at large, and as a global organization seeks to ensure the safety of cardholder information worldwide. It is designed to help merchants assess how their customers’ data is kept, if it is secure, and what can be implemented to ensure that privacy and security standards are met.
42.8 million cyber attacks are estimated to occur this year alone. Merchants have the ability to ward these off by adopting three technologies – EMV chip, tokenization and point-to-point encryption. Data needs to be kept securely both in transit and at rest. When a customer uses a credit or debit card at a store or online, that information has to transmit securely from the point-of-sale –> to the store owner’s bank –> to the card network –> to the customer’s bank. The EMV chip card is ideal for in-person purchases; point-to-point encryption makes the data unreadable as it is in transit; and tokenization, which removes the need for card data to be stored by merchants. By devaluing the data, it is made less attractive to hackers to be stolen and used fraudulently or posted publicly.
As of the end of last year, only 20% of U.S. merchants had activated new EMV credit card chip readers, according to Stephanie Erickson, VP of Risk Products at Visa. Typically, it can be several years before mass adoption. In other countries, the use of a PIN adds an extra layer of security, but in the U.S., Visa believes that PINs can be stolen and other technological enhancements such as biometrics, can afford similar protections.
In the last five years alone, hundreds of millions of consumers were affected by credit card security breaches at major retailers, online companies, and in the hospitality industry. Companies such as Target; Home Depot; Sony; online-retailer Zappos; Adobe Systems; Neiman Marcus; the arts and crafts store Michaels; White Lodging Company (brands which include Marriott, Radisson, Renaissance, Sheraton, Westin and Holiday Inn), all had customer credit card data security breaches and information stolen by hackers. Target’s breach cost the organization over $390 million, which included more $100 million in settlements with banks and customers.
Another example is San Diego’s Metropolitan Transit System, which is undergoing assessment for non-compliance with PCI DSS. The MTA’s monthly and multi-day pass, the Compass Card, is automatically loaded using a personal credit card or debit card. Because of non-compliance, riders are vulnerable to hacker attacks and having their personal information and credit card data stolen.
The MTA was aware the system needed security upgrades before July 2014, when it was still run by the San Diego Association of Governments. After the MTA took it over, officials realized how much of a security problem existed. They retained a data security firm and already spent over $700,000, but estimate costs in the vicinity of $7 million to be in proper compliance with PCI. Meanwhile, transit riders remain at risk whenever they use a credit or debit card to reload their Compass card.
The costs are extraordinary when organizations don’t take steps to maintain compliance with PCI guidelines. When security breaches occur, sales suffer. Other potential costs are fraud losses, card replacements, fines and penalties, legal fees, and sometimes even bankruptcy.
Companies like Global Enterprise Strategies and its partnership with Global Data Sentinel can help to mitigate these problems for organizations. Currently pursuing HiTrust validation, GDS expects to be a PCI Point-to-Point Encryption Solution Provider in the near future. Protection of customers’ and employee data at rest and in transit, offering end-to-end encryption, zero-knowledge privacy, perfect forward secrecy, identity management, and user behavior analytics, ensure that data is kept inaccessible to hackers. Your business data and your customers’ information are far too valuable to leave vulnerable to attack. Contact us now.