Does PCI Compliance allow you to save the track data until you process the card? For example someone gives you a card to process in the beginning of next month, can the track data be stored until then? JL

The answer is yes, but with limitations.

Track data is the information encoded in Track 1 and Track 2 within the magnetic strip, or chip,  on the back of a credit card which is read by an electronic reader within the terminal or point-of-sale (POS) system. Track data contains information about the card and the cardholder.

What track data can be collected? When a credit or debit card is swiped, the track data may include customer name, credit card number, expiration date, CVV number, and information used as part of PIN encryption/decryption if a debit card.

What track data can be stored? Merchants may securely store ONLY the customer’s name, credit card number, and expiration date  to PCI Data Security standards if desired.

How and where will you store the track data? This is the crux of PCI Data Security and should be your most important consideration. Do you use POS software? Do you know if it is PCI Compliant? Some are, some are not. Even some very big software companies are not, but are ‘working on it’.

A technology solution that I sell ( I work direct for the company) is CenPOS. The data is encrypted, stored off site, meets all current data security standards and the solution is fully PCI Compliant.

Article on prohibited Cardholder Data Storage from Visa.

Visa’s Top Five Data Security Vulnerabilities Identified for merchants (click for PDF download).  Why are there so many data breaches? To promote compliance with the Cardholder Information Security Program (CISP) and the Payment Card Industry Data  Security Standard (PCI DSS), Visa has identified the top five vulnerabilities detected in compromises. It’s a great quick list for you to check your own compliance.

When your read their press release, their is barely a hint that any harm occurred.  But what the press release doesn’t spell out is the data that has been compromised and how it was compromised.

Visa and MasterCard received reports of fraudulent card use by their issuing banks last November and subsequently notified Heartland, according to a Washington Post report.  Heartland didn’t even realize they had a problem.

The problem was internal. It was not an external attack, but the result of spyware being placed within their own internal systems.  Heartland’s CEO says a piece of spyware stole payment card data as it passed through the company network. Everyone passes encrypted data to their processor, but what happened to the data once it reached Heartland? Why is this an important difference? We like to think our databases our secure from certain outside hacker attacks into companies that have installed specific systems and software solutions for protection. If an outsider can hack into a secure system that has done everything correctly, then the world of data security is lost.

You really have to read between the lines to figure out what was compromised.  Their press release is all about what wasn’t lost. Those behind the breach intercepted and stole the so-called Track 2 data from the magnetic stripe on the back of cards, which is all that’s needed to create counterfeit cards.

IMPLICATIONS FOR CONSUMERS:

If you visited a merchant who uses  Heartland for payment processing, and you have no way of knowing this, your card data may have been compromised. Your card could be cloned and presented for payment to other merchants. Identity theft is not expected to be an issue. Watch your statements for improper activity or replace your card. Heartland has over 250,000 merchants, many of whom are restaurants and hotels. Consumers have no financial liability.

IMPLICATIONS FOR MERCHANTS:

Merchants have no financial liability. Merchants may have to download a software update, though there has been no release of any information related to this from Heartland yet. It’s possible there may be none. If a download is needed, this could be a nightmare with so many merchants needing to simultaneously update. Since many use third party solution in the restaurant industry, the burden shifts to those third party suppliers in some cases.

Do merchants have an obligation to notify customers? No, the data breach is not theirs and they would have no way of knowing personal information about their shoppers.

Should merchants change processors. That’s a personal decision. Read the next section.

IMPLICATIONS FOR HEARTLAND:

What will it cost? If a merchant is non-compliant at the time of a breach, merchants can be fined up to $500,000 per incident and face remediation costs between $90 and $302 per card. With over 100,000,000 transactions monthly, there are probably at least that many cards exposed-  do the math. The cost could be astronomical unless they are protected by safe harbor.

Safe Harbor

Visa defines safe harbor as the following:
“Safe harbor provides members protection from Visa fines and compliance exposure in the event its merchant or service provider experiences a data compromise. To attain safe harbor status:

1. A member, merchant, or service provider must maintain full compliance at all times, including at the time of breach as demonstrated during a forensic investigation.

2. A member must demonstrate that prior to the compromise their merchant had already met the compliance validation requirements, demonstrating full compliance.”

If they are protected by Safe Harbor, they still must pay to replace all cards.

If they are not protected by Safe Harbor, can they afford the fines and costs? If not, what will happen to the merchants processing with them?