DATA SECURITY COMPLIANCE 101

Several of our client companies have inquired about the announced November 1 effective date for compliance with new tighter data security requirements. These regulations, the FTCs so-called "Red Flag Rules," are the latest stage in implementation of a 2003 federal law known as the Fair and Accurate Credit Transactions Act. One of the purposes of this Act was to enhance protection of consumers against identity theft.

The Act and the rules actually apply only against "Financial Institutions and Creditors." But, because of the way the rules affect the payment card industry, their impact covers a much broader segment, virtually all, of the commercial world. Some years ago, the merchant banking industry and card issuers developed and established the required compliance programs internally for detecting, preventing, and mitigating occurrences of hacking and identity theft. They then began implementing a staged plan to extend the effectiveness of those monitoring mechanisms throughout their merchant customer base. The biggest merchant account customers have long since been complying with the strictures of this Industry program as a condition of their using their payment card merchant accounts. Now it is time for smaller merchant users (0 to 1million transactions per year) to do likewise.

WHAT DOES THIS MEAN FOR YOU?
If you have or want to have a merchant account which enables you to accept and process payments from your customers or distributors by credit or debit card, you will need to do the following:

1. Establish a written policy for protecting the security of your customer (and employee) account data. The policy must include designation of employees responsible for carrying out the internal monitoring and security check procedures.
2. Determine what your merchant level will be. (based on number of expected transactions, i.e. ,Level 4 is 0-20000 , Level 3 is 20000-1 million, etc.). By accessing the web site at www.pcicomplianceguide.org you can get information and a chart to help make this determination, as well as other guidance that will tell you way more than you ever wanted to know about complying with the Payment Card Industry Data Security System.
3. Select and contract with an Approved Scanning Vendor (ASV). ASVs are industry certified contractors who conduct electronic scans of your data handling systems. The web site has a link to lists of ASVs.
4. Download and complete periodically (as specified for your merchant level) a PCI DSS Self-Assessment Questionnaire.
5. Have the ASV conduct periodic (again, based upon your merchant level) network security scans. The PCI compliance website, your ASV, your telecommunications vendor, and your merchant banks will all be able to help and advise you.