Consumer Security Beyond PCI Mandates

Jun 26, 2006 8:40 PM  By

A year after the Payment Card Industry (PCI) issued mandates requiring merchants to take ownership of protecting consumer card information, there’s growing evidence that was just the beginning.

On July 1, Indiana, New Jersey, and Nebraska become the latest to implement data security breach laws, requiring notification to those either affected or put highly at risk. This follows 26 other states that have already passed these laws, with 14 states and the District of Columbia with similar bills on their legislative floors. Unlike the PCI mandates, states are requiring retailers protect a wider scope of consumer information – with harsher penalties throughout the entire sales or transfer cycle.

Beyond the credit card number
On the state level, it often takes just the divulgence of two pieces of information to constitute a security breach. In most cases, this includes the disclosure of first and last name, as well as some of the following:

  • Social Security number
  • Driver’s license number
  • Telephone number
  • Passport number
  • Food stamp account numbers
  • Medical records
  • Employer or tax ID number
  • Postal or e-mail address
  • Date of birth
  • Mother’s maiden name
  • Alien Registration Number

The list goes on and on, including almost any piece of personal information. Many merchants may be surprised to find how today’s collaborative enterprise is expanding the way information is shared:

Finance/loss prevention: This is where PCI has the most impact, as nearly all merchants offer consumers the flexibility to pay through credit cards. Due to common fraud and identity theft incidents, merchants must store information well beyond the point of sale, for verification purposes internally, and with the credit card companies themselves. Since basic data, such as card number and codes, can easily be replicated – card companies require additional information to ensure the authenticity of transactions. This includes driver license numbers, social security numbers, and a slew of other personal records.

Sales and marketing operations: One of the biggest revenue builders for merchants is in promotional events, whether it’s mass mailings detailing upcoming sales offers, or customer loyalty programs giving special deals to frequent consumers. Merchants need to identify and classify the specific consumers qualifying for these types of programs – if it’s as simple as storing a person’s address for generic catalog mailings, or more detailed information for customer reward programs.

Human resources: Today’s employee applications are becoming more comprehensive, with additional information being housed for verification and referral purposes. Employee databases become more enhanced, storing an abundance of personal information for payroll processing, 401k administration, healthcare plans and other highly confidential matters.

Sourcing and manufacturing: Some states are extending the long arm of the law to include merchants doing business with partners – even those that are out-of-state. For example, if you’re an Alabama retailer whose main distributor is in Florida, you’re continually exchanging customer information for order processing. Even though Alabama doesn’t have specific state laws, the retailer would need fully to comply with Florida’s mandates, one of the most stringent in the entire country.

A 5-minute gap analysis
Answering critical questions can provide a fast evaluation of the gaps and what needs to be addressed:

  • Are network and security assessments to measure compliance with PCI, federal, and state mandates a regular occurrence?
  • Are systems updated regularly to integrate new regulations?
  • Is data secured throughout the entire network of suppliers and other business partners?
  • Is data secure in all its states: at rest, at the point of transaction or in transit?
  • What is the awareness level around state laws affecting partners?
  • Are transaction audit files fully protected?
  • Is consumer data stored in an encrypted format?
  • Is there a hierarchy in place granting access to the most sensitive customer data to only those employees with proper clearance?

Positive responses indicate that an organization has moved far along the continuum of protecting consumer data.

Negative or neutral responses can carry devastating consequences, including loss of customer confidence, data compromises, unforgiving lawsuits, stringent cash fines, and drops in stock price.

Even though merchants can’t fully control laptops or other hardware-based systems carrying this information, they can take charge of the way information is shielded. The time to act is now – later may be too late.

Gary Palgon is senior director of connectivity and security solutions for Atlanta-based nuBridges. He can be reached at gpalgon@nubridges.com.