PCI: limit your exposure

John Mayleben, MRA’s vice president, technology and product development, writes a monthly column on retail technology. Contact John at jmayleben@retailers.com.

In a recent column I addressed the issue of PCI-DSS (Payment Card Industry Data Security Standards) and how—at least in the big picture—it impacts your store.

Now let’s dig a little deeper and explore how to identify and then limit the scope of your exposure to risk of a data breach, which is the point of PCI-DSS. Most businesses that accept cards for payment can, with a little planning, dramatically limit their exposure to this risk.

A good approach is to follow a credit card transaction through its entire life cycle within your store, from the point that the consumer provides you the card to swipe to what might happen after you have been paid for the transaction. This process will identify the scope of your exposure and should lead to discussions about how to protect the data.

The place most merchants start is the POS system—either a cash register system or a traditional terminal. Review the process that your employees use to capture the data from the card.

This would also be a good time to discuss with your staff any other behaviors that might put you at risk. Recently I discovered a member whose employees were capturing card numbers in a separate database so they could handle re-orders and credits without creating an inconvenience to the customer. Obviously, the separate database is another point of exposure that now has to be considered and protected.

If you are unsure whether your POS system is PCI-compliant, ask! Call the vendor who installed it, the company that currently supports it, or the person who wrote the programming code to make sure that it is not storing transaction data any longer than needed and not storing prohibited data, such as a full mag-stripe read.

The next step in the lifecycle of a transaction, for the merchant, is the receipt. Make sure that any receipts being presented to the customer are truncating the card number (showing just the last four digits) and not showing the expiration date at all.

If your customer receipts are displaying any of this information, call your processor immediately to get it fixed. The fix is usually simple and takes little time.

Long-term storage of your copy of the receipt is another area of potential exposure. Truncating the data on the store copy is another way to limit your exposure, although each store must weigh this advantage against the disadvantage of not having all of the detail that is helpful in case a transaction must be reprocessed or a dispute or chargeback arises.

The last issue to consider in this process is limiting the scope of a data breach exposure that might result from physical theft—of either the hardware or the receipts from your store. Just as cash drawers need to be secured during the day and overnight, you need to make sure that you are securing your terminal or system and receipts.

There have been reports of bad guys simply reaching over the counter and grabbing either the card terminal (which stores the transactions until the next batch is released) or your copies of the sales drafts.

Note: MRA’s John Mayleben received this letter in response to his column in the April Retailer called “What’s a Benefits Card.”

Dear John,
 
I read your article in the Michigan Retailer and found it well written and accurate. As a member, we use MRA for credit card processing. We are also the largest Michigan-domiciled third-party administrator processing claims for HRA [health reimbursement accounts] and FSA [flexible spending accounts] using a benefit card.

We look forward to the full implementation of IIAS [inventory information approval systems] with the hope of improving processing and customer satisfaction. It was refreshing to read your informative, unbiased approach.
 
Sincerely,

Fritz Teutsch
BASIC
Portage, Michigan