Making sure that you don’t fall victim to credit card fraud
My wife and I have always wanted to visit Italy, but unfortunately our credit card got there before us. A few years ago, our bank contacted my wife, inquiring whether she had recently spent $1,000 on a round of drinks in Palermo. It turned out she had shopped at a merchant that had suffered an electronic break-in. The bank accepted that we did not incur the expenses, but as card fraud has risen over the years, it has become so costly that the credit card associations are fighting back by introducing the Payment Card Industry Data Security Standard (PCI DSS).PCI DSS is a set of comprehensive requirements to enhance payment account data security (ie card numbers and related information). It was jointly developed by the card brands when they collectively formed the PCI Council. PCI DSS facilitates the global adoption of consistent data security measures which reduce the risk of compromise, and protect card holders. The requirements apply to both banks and merchants.Florence Smith, product manager for merchant services electronic banking at Butterfield Bank, explained that the PCI Council groups merchants into levels based on the number of card transactions they process each year, and requirements are slightly different based on each level. Most merchants in Bermuda are at Level four, which means they process less than 20,000 e-commerce transactions or less than one million traditional card transactions per year. The data show that larger merchants are less vulnerable to a compromise because they tend to have more infrastructure and more resources at their disposal.Under PCI DSS, all merchants are required to report at least annually their compliance status. According to Ms Smith, merchants must complete an annual Self-Assessment Questionnaire (SAQ), which can be quite burdensome. In addition, merchants also have to demonstrate their network is secure via network scans. Ms Smith said: “Butterfield Bank is implementing a new web portal with United States partner Trustwave that will allow our merchant clients to complete an online SAQ and perform their own network scans at low cost.” According to Ms Smith, the bank will review each client completed SAQ and a determination would then be made as to the client’s level of risk.Ms Smith said: “Our clients will be provisioned with around the clock support to Trustwave personnel. If there are any issues arising from the quarterly network scans, clients will need to remediate them and will be able to address [questions] on this directly to Trustwave (or Butterfield). The portal will also contain training information. There are fees associated with using the portal, but the bank has made them extremely competitive when compared with similar third party services.”Standard merchant agreements will be amended with an addendum stipulating merchants must comply with the new requirements. Merchants should realise that these requirements are being passed down from the card associations themselves, so that any bank that processes cards will require all merchants to adhere to these requirements, not just Butterfield.“I think it’s important to stress to business owners that at the end of the day, [in the event of a compromise] any fines imposed will be passed on from the card association down to the merchant,” said Ms Smith. “The fine is determined by the association and varies based on intensity and circumstance. Fees for forensic investigation, fraudulent purchases and card replacement cost will also be passed on. Then there is the reputation damage for the merchant.”Ms Smith said: “We know our merchant base, we review the payment applications and will inform the client if their payment application falls out of compliance. We will work with our merchants to upgrade them in the event there is a compromise. There is a cost factor for merchants, but you can’t put a price on protecting your clients, or your reputation.”Steven Hardy is the technology security officer for a local insurance company, and has worked in the IT industry since 1998. His views are his own and do not necessarily represent the views of his employer.