TMCnet News
PCI Compliance [Collector](Collector Via Acquire Media NewsEdge) Credit and collection companies that accept credit card payments must comply with PCI requirements For third-party collection agencies and creditors, compliance in today's collection industry extends beyond statutes such as the Fair Debt Collection Practices Act and regulations that directly affect how consumer debts are recovered. Businesses that accept credit card payments in the debt recovery process are also subject to a stringent set of compliance requirements under the umbrella of the Payment Card Industry Security Standards Council. At a time when companies ranging in size from large, global corporations to small, single-owner businesses have encountered data breaches, protecting consumer credit card data is the primary objective for having a compliant operation. "If you take plastic, then PCI applies to you," said Ron King, president of Merchant Preservation Services, during a recent ACA International teleseminar on PCI compliance issues and best practices. The potential costs of fines, penalties and offsetting consumer expenses for credit protection are just some of the risks associated with noncompliance. Creditors also face the loss of future business from clients whose information has been compromised. The PCI Security Standards Council publishes a series of four security standards to ensure compliance throughout the payment card industry. While separate standards are created for software developers and computer hardware manufacturers, all merchants, including creditors and collection agencies, are subject to Data Security Standards (PCI DSS) to ensure that there are secure environments for storing or hosting credit card data. Under the PCI standards, cardholder data not only includes consumers' account numbers, but also address information, security codes and personal identification numbers. The standards affect merchants that store, process or transmit any cardholder data. Credit card security involves multiple relationships between business entities. In addition to the PCI Security Standards Council, which is responsible for managing the PCI DSS and certifying external and internal assessors, these groups include: * Banks-Banks communicate with and educate merchants on data standards and reports on compliance status. * Card AssociationsVisa, MasterCard, Discover and American Express each have an association of banks and servicers. These groups are directly responsible for enforcing and monitoring merchant compliance with the PCI DSS. * Merchants-Companies that accept credit card payments are responsible for safeguarding credit card data and complying with the PCI DSS. Merchants and servicers (an industry term that differs from the Consumer Financial Protection Bureau's definition) are classified at four different levels based on their annual transaction volume. Most collection industry businesses would be considered "Level 4," or accepting fewer than 1 million Visa and/or Master Card transactions or less than 50,000 American Express payments each year. King noted that all merchants are assumed to be compliant today, although banks and other related service providers will be requiring validation in the near future. Larger businesses are already required to go through extensive systems testing and scans, as well as an annual on-site assessment by a qualified and approved assessor. All merchants must meet the following validation requirements: * Annual self-assessment questionnaire. * Quarterly network scan. * Annual penetration test. The questionnaire formats vary based on how merchants accept and process credit card transactions. Depending on whether payments are accepted online without the actual credit card present, or handled by a third-party processor, the merchant must complete slightly different forms of questionnaires, with outsourced payment handling having the fewest items to review. "No matter how or who processes your credit card payments, your company is responsible for compliance with the PCI data standards," King said, who encourages merchants to try and achieve maximum compliance, no matter how their business is classified by the card associations or how their transactions are processed. Under the PCI DSS, there are six control objectives to ensure all businesses are compliant: 1. Build and maintain a secure network. This step includes installing and maintaining secure firewalls and changing vendor-supplied defaults for system passwords and other security parameters. 2. Protect cardholder data. This includes stored and hosted data security and encryption of sensitive information across public networks. 3. Maintain a vulnerability management program. In addition to using and updating anti-virus software regularly, developing and maintaining secure systems and applications. 4. Implement strong access control measures. Here, data access should be limited on a need-to-know basis, with individual employees having unique system identifications. Physical access to cardholder data should be restricted. 5. Regularly monitor and test networks. All access to network resources should be tracked and monitored with regular tests of all security systems and processes. 6. Maintain an information security policy. While this document may not differ from other existing policies, credit card data should be incorporated as needed whenever modifying and changing corporate policies and procedures. Ensuring compliance with PCI requirements always should involve a company's IT department or chief information officer, compliance officer, operations manager and appropriate corporate executives. Together, these individuals need to understand how the standards and requirements for the PCI DSS fit into the company's existing business model, and who ultimately assumes ownership for routine testing, questionnaire completion, policy and process changes, and development of a routine schedule for systems testing and evaluation to ensure full compliance. Communicating PCI requirements to all employees should not be taken for granted. Some consumers don't think about the risk of including their credit card numbers in an e-mail or via fax. Collectors anxious to receive payment could leave the cardholder information on their desks or some other place where it could be viewed by others. King stresses that PCI compliance is a business issue, and not just another IT issue. "We must protect the cardholders' information at all times," King stressed. Business owners and compliance officers also should be looking at their daily operations to identify potential areas of concern. For example, whether credit card data is maintained in an electronic or physical format, companies should limit employee access to a strict, need-to-know basis. That means even if a company's accounting department already has established cash handling procedures, the company should review how long it maintains credit card data and where it is stored. If data is stored on company servers, consider opting for a payment processing company that would "host" your data on its own equipment. While using a third party to host data does not limit a company's responsibility for compliance, it will limit its risk, King said. In the event that data is compromised, companies should have contingency plans in place for both internal and external notifications to be made immediately. Some states have laws or regulations requiring notice to government agencies and/or consumers. At a minimum, firms should be prepared to stop affected activities until there is clear assurance that breaches or other problems have been fully identified and resolved. Some other best practices include: * Segregate duties so that individuals who are reconciling or accounting for transactions are not involved in processing credit card payments or refunds. * Make sure that business practices are handled similarly if your company has multiple or branch offices. PCI compliance should be the same no matter how many locations your company operates. * Destroy any documentation containing credit card information when it is no longer needed for business or legal reasons. If a company opts for an outside assessment firm to review its systems and compliance procedures, King recommended using a company that is certified by the PCI Standards Council to ensure there is knowledge of the most current requirements and processes. Because the council and card associations continuously review their standards and have been publishing updates on a three to four year cycle, using the wrong benchmarks leaves companies at risk, cm INFORMATION Online PCI Resources For additional information regarding PCI compliance, visit the following websites. * PCI Security Standards Council: http://www.pcisecuritystandards.org * Card associations: http://www.visa.com/cisp and http://www.mastercard, com/sdp * Privacy Rights Clearinghouse: http://www.privacyrights.org/ar/ idtheftsurveys.htm By David Glezerman, MCE David Glezerman is assistant vice president and bursar at Temple University in Philadelphia. He can be reached at [email protected]. (c) 2014 ACA International |