Banking & Finance  February 6, 2015

Stay current in fight against credit-card fraud

Ditges

There has been some discussion in your paper (“Credit cards hacked? Who pays ‘em back?”, Nov. 28-Dec.11) and other media outlets about who should foot the bill for reimbursing consumers for credit card fraud – financial institutions or retailers. There’s also been a fair amount of ink on the growing call for Congress to step in with cyber-security legislation.

The truth is that this hot-potato issue is about to shift because of changes coming in the payment-industry security standards. These changes will affect small businesses dramatically and make many of these discussions moot.

To fully understand what’s about to take place, you have to first appreciate the circumstances we’re in now. These massive card security breaches – such as the 70 million customer cards hacked in the Target attack – are happening because the majority of U.S. cards still rely on magnetic-stripe technology that is more than four decades old and inherently insecure.

SPONSORED CONTENT

Ways to thank a caregiver

If you have a caregiver or know someone who has been serving as a primary caregiver, March 3rd is the day to reach out and show them how much they are valued!

In fact, we are the only major economy in the world that does not currently use integrated-circuit cards (also known as EMV, IC cards and PIN and Chip). These are credit cards that have a circuit chip embedded in them and require a personal identification number for transactions. EMV cards are smarter because, unlike magnetic-stripe cards, they can check a PIN entered by a user without revealing it to the equipment reading the card. Many hacks involve infiltrating the card reader.

In Europe, 80 percent of their credit cards use this newer technology, and it has resulted in impressive reductions in credit-card fraud. In the United Kingdom alone, credit card fraud – for card-present transactions – dropped 75 percent after EMV was introduced.

The United States is in the card-processing dark ages, so the best cybercriminals in the world are concentrating their efforts on the credit-card payment systems here because they are so much easier to compromise. For them, it’s like playing in the Super Bowl and the opposing team is the junior football league. So for now, it’s no longer a question of if you will be hacked, but when.

Even though we know that it’s essential to change over to the new EMV cards, the United States has been sluggish to do so because it’s expensive. EMV cards cost much more to produce than magnetic-stripe cards. And the EMV card readers and ATMs require pricey hardware upgrades.

Initially, the investments are a tough pill to swallow, but compared with the losses to fraud and hacking, they’re a bargain.

In the meantime, the credit-card brands, Visa and MasterCard, have been working with the Payment Card Industry Security Standards Council to voluntarily enact updated security standards to protect financial institutions, merchants and consumers alike. The Payment Card Industry Data Security Standards ensure that anyone who processes credit cards is meeting the industry’s best security practices. By voluntarily prescribing these specifications, the card brands no doubt hope to sidestep any government intervention of cyber legislation.

Really, self-policing is the best answer. These world-class hackers work with lightning speed and continually upgrade their tactics to outsmart every security measure. Congress doesn’t. Any bill it writes could be insufficient and outdated before the ink is dry.

But here’s the important part for retailers: These standards are about to become requirements.

For the small-business owner – and retailers, especially – this means you have to be compliant with these new standards by the June 30 deadline or you are liable for any losses consumers incur as the result of a security breach in your system.

If you’re hacked and you were not compliant beforehand, your business can face steep penalties, up to and including the loss of the ability to process credit cards. That would put many small retailers out of business in short order.

The first step in compliance is taking the Payment Card Industry Self-Assessment Questionnaire. There are several to choose from, based on the type of business you are. You can find a guide to choosing the right one for your business here at understandplus.com/SAQ_Guide.pdf. You can find answers to all your PCI DSS questions at pcisecuritystandards.org/merchants/.

So while retailers and financial institutions still are arguing over the liability for past hacks, after June 30, the burden of liability will fall on retailers – so be sure you understand the PCI DSS requirements and protect your business and your customers.

Jeff Ditges is president of Source Communications, a communication technology company in Broomfield that provides wiring and hardware for point-of-sale systems.

Ditges

There has been some discussion in your paper (“Credit cards hacked? Who pays ‘em back?”, Nov. 28-Dec.11) and other media outlets about who should foot the bill for reimbursing consumers for credit card fraud – financial institutions or retailers. There’s also been a fair amount of ink on the growing call for Congress to step in with cyber-security legislation.

The truth is that this hot-potato issue is about to shift because of changes coming in the payment-industry security standards. These changes will affect small businesses dramatically…

Sign up for BizWest Daily Alerts