The number of high-profile credit card security breaches reported in the news is rising, with such chilling examples as last summer’s attack on Tucson, Ariz.-based CardSystem Solutions, where 40 million accounts were exposed and 200,000 accounts stolen. As most breaches are not reported to the media, the true number of incidents likely is far greater than perceived.
Compounding the problem, ScanAlert’s Leonard notes, is that far more online retailers store credit card information than probably need to, and of these, most don’t store the data correctly. “By law and regulation, those data don’t belong to the merchant. By storing them, the merchant takes on a huge risk and liability,” he states.
A merchant may decide to store card information as a convenience to the customer or to speed up order taking in a contact center, but MasterCard and Visa frown on storing credit card data for these purposes.
If merchants must store credit cards, regulations stipulate the data are to be kept in an encrypted format, and all access to them should be logged. Further, Visa regulations prohibit merchants from ever storing Card Verification Value 2 (CVV2) numbers — the three digits on the back signature panel of a Visa card.
Questions to ask yourself:
• Do we store credit card numbers? Where? Why? Do we encrypt them?
• Do we store CVV2 values?
• Could we re-engineer our processes to serve customers without storing credit card numbers?
Have Your Web Site Regularly Scanned
One of the mandates set forth by security regulators is periodic scanning of your site by a certified testing service. Companies like ScanAlert and AlertSite can use automated robots to probe your Web site for potential security holes on a regular basis. Such holes typically are created by failing to correctly configure your Web servers, or by neglecting to keep your Web servers and their operating systems up-to-date with the most recent patches.
- Companies:
- The Rimm-Kaufman Group