No, not if the goal is to defend against future disputes. Merchants can never store the security code on paper or electronically. It’s a violation of the both merchant card acceptance and PCI Compliance* rules. The penalties can be especially stiff, even reaching over one million dollars in fines and jail time, for merchants in industries covered by special identity theft rules. For example, automotive dealers and health care providers also collect sensitive personal data, increasing regulatory obligations for protecting consumers from identity theft.

First Data, a leading credit card processor, has this language in their PCI Rapid Comply 2013 questionairre:  “Do you make sure that you NEVER, EVER store the card-validation code or value (three-digit or four-digit number printed on the front or back of a payment card) used to verify card-not-present transactions after authorization (even if encrypted)?”

If it’s never OK, how can card not present merchants protect against fraud and disputes?

1. Increase capabilities to accept card present transactions. For example, a local business might add mobile card readers for delivery personnel to swipe credit cards.
2. Require remote buyers to print the sales receipt, sign and send back. A signed sales receipt containing the authorization code and correct authorization language enhances the trail of evidence.
3. Same as above, except for commercial accounts, require the cardholder forward the email receipt with their electronic signature from a company email address.
4. Require cardholders to specifically approve any 3rd party delivery address or personnel. Maintain all email communication records related to the sales process.
5. Switch to self-serve payments such as an online pay page or electronic bill presentment and payment, both of which create opportunities for trails of electronic evidence. Use a third party provider to reduce PCI Compliance burden.
6. Use a third party service to electronically store sensitive payment information in a ‘vault’ for recurring customers. Ensure that no one can access the full card or ACH information.
7. Have a set of policies that can be remotely managed, monitored and enforced. This is critical in a multi location environment.

* PCI Compliance: short for Payment Card Industry Data Security Standards, or PCI DSS. All merchants are subject to PCI Compliance and the requirements vary by a number of factors including how payments are accepted and business size.

About the author: Christine specializes in providing innovative card not present payment processing solutions for manufacturers, wholesale distributors and new car dealers to improve PCI Compliance and streamline the payment experience for both merchants and customers. It’s fast, easy to use, and requires no capital investment to implement. For CenPOS sales call Christine at 954-942-0483 or click here for more information.

Genesco, a sports apparel retailer,  is fighting back against the arbitrary multi-million-dollar penalties that credit card companies impose on banks and merchants for data breaches by filing a first-of-its-kind $13 million lawsuit against Visa. While specifics are not fully public, the company maintains that it found packet-sniffing software on its network but never uncovered forensic evidence that the hackers actually stole any card data.

http://www.wired.com/threatlevel/2013/03/genesco-sues-visa/

###

CenPOS, a private cloud, hosted-payment processing network, can reduce PCI burden for retailers. Contact us for more information.

Highlights from the  Global Payments quarterly report  released January 8 2013, reveals that costs related to the 2012 data breach have reached 93.9 million and additional material costs will be incurred in 2013.  The company is still working on PCI DSS certification. The company has not yet been put back on the list of PCI DSS compliant service providers, however, the impact on revenue has been “immaterial”. 

“As a result of this event, certain card networks removed us from their list of PCI DSS compliant service providers. Our removal from certain networks’ lists of PCI DSS compliant service providers could mean that certain existing customers and other third parties may cease using, referring or selling our products and services. Also, prospective customers and other third parties may choose to delay or choose not to consider us for their processing needs. In addition, the card networks could refuse to allow us to process through their networks. To date, the impact on revenue that we can confirm related to our removal from the lists has been immaterial. Also the impact on revenue of customers or other third parties who have failed to renew, terminated negotiations, or informed us they are not considering us at all, where we can confirm it is related to our removal from the lists, has been immaterial.    We continue to process transactions worldwide through all of the card networks. We hired a Qualified Security Assessor, or QSA, to conduct an independent review of the PCI DSS compliance of our systems. Our work to remediate our systems and processes is substantially complete. Our QSA is currently evaluating our remediation work. Once the QSA’s evaluation is complete we will work closely with the networks to return to the list of PCI DSS compliant service providers as quickly as possible. Our failure or a delay in returning to the list could have a material adverse effect on our business, financial condition, results of operations and cash flows.”

In addition to the credit card data breach, the “investigation also revealed potential unauthorized access to servers containing personal information collected from merchants who applied for processing services.” Merchant account applications contain sensitive information for identity theft thieves, including business owner social security numbers and home addresses.

Another potential financial blow is the class action suit related to the ‘intrusion’, as Global Payments has identified the breach. “We have not recorded a loss accrual related to this matter because we have not determined that a loss is probable.”

NY Times reports Hackers get into Citigroup via their customer credit card account management web site. In 2008, the underground market for the data was flooded with more than 360 million stolen personal records, most of them credit and debit files. That compared with 3.8 million records stolen in 2010, according to a report by Verizon and the Secret Service, which investigates credit card fraud along with other law enforcement agencies like the Federal Bureau of Investigation. As a result, the price of data is going up and hackers abound.