• Payment Card Industry Data Security Standards: What Merchants Need To Know
  • February 13, 2007 | Authors: Theodore F. Claypoole; Michael W. Hubbard
  • Law Firms: Womble Carlyle Sandridge & Rice - Charlotte Office ; Womble Carlyle Sandridge & Rice - Raleigh Office
  • Rules and guidelines protecting confidential customer information have long been part of the health care and financial services industries. Now, similar rules have been put into place for retailers, service providers and any other business that accepts payment cards. As in other fields, the stakes for non-compliance are high.

    The payment card industry is putting the onus on merchants to protect confidential customer information using a new set of industry standards. Merchants who fail to follow the terms of these new guidelines may face liability for fines, liability for the fraudulent charges resulting from a data breach, and a revocation of credit card service, not to mention the bad press that goes along with a privacy breach.

    Version 1.1 of the Payment Card Industry (PCI) Data Security Standard took effect Jan. 1, 2007, and was created by representatives from American Express, Discover, MasterCard, JCB and Visa International. Merchants who accept payment cards (both credit and debit) must establish a number of security procedures including:

    • Maintaining a secure computer network, which includes installing firewall configurations;
    • Protecting stored customer data;
    • Encrypting customer data when it is transmitted;
    • Restricting access to customer data on a need-to-know basis;
    • Regularly testing security procedures; and
    • Having a policy to address customer data security.

    Some merchants also may be audited to ensure that they are meeting these new standards.

    While technology such as firewalls can improve data security, proper procedures for employees are vital. Most security breaches take place because of human error, he said, and training employees in how to handle confidential customer information is a company’s best defense.

    Also, companies that fail to establish and enforce privacy procedures run the risk of lawsuits from customers should a security breach happen.

    If you do not have the right policies and procedures in place, you do not have an excuse if there is a security breach.