What would today’s retailer do without credit cards? Like most merchants, pet stores have found that the ubiquitous plastic card has become the default transaction tool for purchases large and small.
There’s hidden danger, though, in being too cavalier about how a store’s staff handles card transactions. A retailer can be hit with costly fines and penalties if it ignores increasingly tight regulations governing the protection of customer data—especially if the violation leads to an actual release of customer information into criminal hands.
“Merchants who store, process or transmit credit card data need to understand they have a responsibility to protect that data,” says Mark Burnette, a partner with LBMC Security & Risk Services, a Nashville-based consulting firm.
As the president of Pet Life, a 15-store pet specialty chain located in New England, Pete Risano understands the importance of securing customer credit card data. “It should be at the top of their priorities list,” he says. “Customers must maintain confidence that their retailer takes credit card security seriously, and at Pet Life, we do. Pet Life is very committed to our customers, and securing their financial information is part of that commitment.”
A Retailer’s Responsibility
So, who makes the rules when it comes to protecting customer data? The big boss here is the Payment Card Industry (PCI) Security Standards Council in Wakefield, Mass. This assemblage of credit card associations has been steadily tightening the reins on runaway data by releasing regulations in the form of official standards. The latest iteration, dubbed PCI Data Security Standard (PCI DSS), further strengthens the procedures that must be instituted by merchants by the end of the year.
Pet retailers that fail to follow the PCI compliance rules may be targeted for damages by their “acquirers”—the banks that provide merchant accounts. A close reading of a pet store’s merchant account contract will reveal that the bank has the power of the purse. “If the acquirer finds that you have been consistently noncompliant, fines can be assessed,” says Burnette. “And an actual breach of data can lead to even higher penalties.”
The extent of monetary damages depends on the size of the merchant, the size of the breach and the number of cards involved. Penalties have ranged from $10,000 into the six-figure range and beyond.
Not to be underestimated, either, is the costly hit a publicized breach can have on a merchant’s reputation. Many consumers will be reluctant to shop at an establishment where a breach has occurred.
But perhaps the greatest motivation for towing the line is the threat of losing the merchant account itself. “The card association may take away your ability to accept credit cards at all,” says Burnette. “That can be extremely costly to any merchant.”
While failure to follow mandated data-protection guidelines is foolish, the good news in all this is that pet retailers can take positive steps to minimize risk.
Step one is drawing up a statement of standard operating procedures (SOP) for everyone in the organization. “Make sure you have a clear written policy about how to handle credit cards,” says Burnette. “And make sure your employees have been educated on the policy. Bring up the topic regularly in your staff meetings.”
A retailer’s SOP must address the critical need of keeping sensitive customer numbers under wraps. “Where the merchant is most vulnerable is in the accidental mishandling of card information,” says Burnette. “Suppose, for example, an employee takes an order over the phone, jots down the card number on a piece of paper, and then later drops the paper into the trash instead of a shredder. That violates the PCI and is bad business practice.”
Another good rule is to keep the credit card in the hands of the customer as long as possible. “Employees should quickly process the card and return it,” says Burnette. “This will keep the card from being accidentally grabbed [or from having its number written down] by someone else.”
The right hardware can be as important as the right procedures. For pet stores that have been using the same POS equipment for many years, it may be time to replace it. “Some retailers still have legacy equipment that they don’t even realize is capturing cardholder information that can be compromised,” says Paul Rianda, an attorney in Irvine, Calif. “In contrast, if merchants use newer equipment, and use it correctly, there should be no way to lose cardholder information.”
Computer systems face special challenges. “You need to establish rules about passwords and about access to the computer system,” says Burnette. “Each employee should have a unique security code, which they are forbidden to share with other employees or even with managers. The passwords should allow access only to those sections of the database required to do an individual’s job.”
Retailers should use only hardware and software that has been approved by the PCI Security Standards Council (approved vendor lists are available at pcisecuritystandards.org). It is important to use a firewall, and the store’s wireless router should be password protected and use encryption. It is also essential to change default hardware passwords to complex ones.
As the world of electronic commerce has become more complicated, regulations have become more demanding. “There are over 255 individual requirements for PCI compliance,” says Burnette. “All of them have to be met. There is no wiggle room.”
It is little wonder, then, that merchants are sidestepping the requisite procedures by farming everything out to a third-party organization, such as an independent sales organization (ISO). “Offloading responsibility to a third party is a good solution,” says Don Hartley, a consultant with Savannah, Ga.-based Tata Consultancy Services.
Retailers should be careful not to get trapped, though, by a false sense of security. The operational duties for carrying out PCI compliance can be outsourced, but pet stores cannot outsource their responsibility for protecting customer information. If something goes wrong, the retailer will be assumed guilty.
To protect themselves from fines and penalties, retailers should make sure their contracts specify the third party’s responsibilities for setting up and maintaining computer systems that comply with PCI standards. The third party should also be asked to provide an annual “PCI report on Compliance,” signed off by a qualified security assessor (QSA). This should be done once a year. Both of these steps will help protect the retail business if the third party violates regulations.
Need to Know
Many of the protective steps that retailers can take derive from a broader maxim near and dear to the hearts of security people everywhere: Retain only the information you need. “Follow the rule that says ‘if you do not need customer information, you should not keep it,’” says Burnette.
This is a philosophy that Pet Life subscribes to. “Our customer’s credit card transactions are fully encrypted end-to-end, and processing data is never stored on our network—not before, during nor after processing,” explains Risano.
Education is the first step to safety. Many smaller merchants are not aware of the duty to protect customer data, nor of the continually morphing rules. Ignorance of the law, as always, is no excuse. Taking basic steps will reduce a merchant’s risk considerably. Says Burnette: “Make sure you have a written policy in place, train your employees properly, and make sure your computer system is PCI compliant.”