Are You Storing Credit Cards in a Compliant Manner?
by Dr. Miles Bodzin, D.C.
When it comes to processing auto-debits, we’ve found that the most common breach made by chiropractors has been in the storing of credit card numbers improperly. We’ve seen examples of chiropractic offices storing card holder data (credit card numbers) in log books, file cabinets, tickler reminder systems, spreadsheets, etc., with the purpose of then physically entering them into a credit card machine every month.
This activity is a clear violation of the Payment Card Industry Data Security Standard (PCI DSS) regulations and must be stopped immediately. If you can retrieve the account number in full from the system you use, then it is NOT PCI DSS compliant and subjects your company to security breaches.
The PCI DSS spells out security guidelines to help businesses minimize the possibility of a data security breach in their card processing systems and to help ensure the integrity of the card system.
What is PCI DSS and why should I care?
You may have heard from recent headlines that stolen credit and debit card data, due to security breaches at businesses—both large and small ones—has negatively impacted millions of consumers. The theft of this data happens from many sources, such as hackers and employees.
You may not be aware that merchants (like yourself) can be financially responsible for fraudulent use of this card data. The fines can be as high at $25,000 per incident. In fact, Visa® has fined merchants millions of dollars in the past few years.
PCI DSS is to the credit card industry what HIPPA is to the health care industry. It’s all about protecting the consumer.
You may not be aware of the fact that, since June 2005, you are required to follow PCI DSS or face considerable fines in the event of a security breach.
The following are actual companies who have had a breach in their credit card securities:
• CardSystems Solutions, Tucson, Az—40 million cards stolen.
• Bank of America—loses 1.2 million customer records from stolen backup tapes.
• BJ’s Wholesale Club stores—8 million members; it is unknown how many credit card numbers were stolen.
• T.J. Max—45 million credit card and debit card numbers.
You don’t have to be a large company to have a security breach. In fact, hackers and thieves know that small businesses, like yours, are more likely to be unaware of PCI and are easy targets.
Where are you vulnerable to theft and hacks? The way you process, transmit or store cardholder data could result in breaches of cardholder data security without your knowledge, resulting in financial losses to your business and customers.
All chiropractors should protect themselves from compromising dangerous data that threaten cardholder’s confidential information.
To ensure safe and secure auto-debiting, it’s important the system you use has gone through rigorous testing to ensure PCI DSS regulations are followed. (See Addendum A)
On October 9, 2007, Visa released a mandated timeline for merchants to eliminate vulnerable applications and use only validated versions. This is a reflection of the heightened risk involved in applications that store credit card information.
It is your responsibility to ensure that you are protecting your business from potentially dangerous security breaches.
, sdp.mastercardintl.com and http://www.practicalecommerce.com/article_print.php?id=580