Rules changing for merchants handling credit card data

You are here : Home→Credit Education→Credit Card Guides→Rules changing for merchants handling credit card data

Most Popular
Top Rating Credit Cards Credit Card Reviews Credit Tools and Resources Card Perks & Benefits

Cards by Credit Level
Excellent Credit Good Credit Fair Credit Poor Credit

Credit Education
Understanding Credit Cards Apply For a Credit Card Credit Card Types Credit Card Guides

links
Related Links Helpful Links

Visitor Focus
Software Free Download Freeware Download Global Info System Matrix Directory Free Downloadable Games

Credit Card Guides

Rules changing for merchants handling credit card data

Written by wangzhong

July 25, 2008 10:59

Safety concerns for consumers' credit card information prompt changes

Ever wonder what happens to your credit card data after you swipe that plastic in a store or enter it online?

Today's answer: It depends. An ongoing industry-wide effort is slowly standardizing data-handling processes to keep consumers' personal information as safe as possible, but it's a largely invisible struggle. Consumers who get their cards back often don't realize the data they've left behind; merchants know about it but don't like the cost and often don't understand the technology.

There are as many ways of handling data as there are merchants to take it. Some retailers work with state-of-the-art systems from merchant account providers (which the retailers may or may not know how to configure). Others merchants have self-written programs. Some retailers store card numbers. Others don't. Some have teams to help them test and troubleshoot. A few may be simply crossing their fingers.

What's at stake for merchants? Money and hassle. At stake for consumers? Money and their identities.

Standardizing card data handling

Several years ago, five major card companies -- American Express, Discover, MasterCard, Visa and Japanese card giant JCB -- banded together in an attempt to bring some uniformity to the process. They formed a security council, issued one set of guidelines for merchant data security, and the Payment Card Industry Data Security Standard, with its balky acronym of PCI DSS, was born.

"Definitely PCI has helped and is helping," says Mary Monahan, managing partner with Javelin Strategy & Research, an independent research firm that recently studied both data card fraud trends and merchant compliance to card data security standards.

A complex, little known system

Despite the high stakes, with identity theft and merchants' reputations in play, data handling by merchants gets little attention.

It's understandable. The merchants, who are ultimately responsible for following the rules, often stay at arm's length from the technology involved. Larger retailers have teams of computer and security experts who puzzle through the regulations and make sure the machinery is compliant. A small fry might rely on a payment processing company to handle the job or simply write a check to an outside consultant. And when their systems fail and consumers' card information gets in the hands of thieves, consumers usually learn little about under the hodgepodge of state disclosure laws.

Merchants are "spending a lot of effort, a lot of time and a lot of money to become PCI compliant," says David Hogan, senior vice president and chief information officer for the National Retail Federation.

That said, many merchants welcome the movement toward standardized handling of consumer credit card data. "Personally, I like the idea of all this," says David Haydel Sr., president of Haydel's Bakery in New Orleans. He estimates that two-thirds of his $3 million annual sales are credit-card based.

Like fellow merchants, Haydel had to put out some money. His biggest expense: $10,000 for a specially written, compliant software program. But he looks at that, and the security standard, as a good investment.

Though fraud eats up less than 0.1 percent of that, he's in favor of anything that will slice that rate and satisfy customers. "It's going to cut back on fraud and misuse, and that's going to cut back on charge-backs," he says.

Who handles consumer data safely?

How many retailers are PCI compliant? No one really knows. As of January 2008, Visa estimates that more than 75 percent of its large merchants and two-thirds of medium-sized merchants meet the standards. Which raises another question: Should compliance, or the lack of it, be public record?

Some consumer advocates say yes. "I think consumers deserve to know who's compliant and who's not," says Gail Hillebrand, senior attorney with Consumers Union, a nonprofit education and advocacy group.

Some payment processors and the PCI council itself don't want to see an official seal of approval awarded for compliance, fearing it would tip off thieves to merchants whose computers could be easily hacked. Many also believe a seal could be misleading. Businesses can be certified compliant one day, but adding machines, firing employees or acquiring locations or new software could compromise their status.