The benefits of credit cards to customers and business are well-documented – but what are the perils and how can you avoid them?
Customers love spending on their plastic – UK shoppers spent £12.9 billion on their credit cards in January 2013; £42.6 billion if you also include the use of debit cards. This is hardly surprising if you consider the many advantages of credit cards, for both the consumer and the organization.
Credit cards let customers pay for items that they may not otherwise be able to afford if they were relying solely on their bank savings - in addition, a lot of UK customers prefer to pay with a credit card because they can be reassured that if something goes wrong, they will be reimbursed by their credit card provider for spends of between £100-£30,000 under section 75 of the Consumer Credit Act 1974. Credit cards are also a safer and far more convenient alternative to carrying cash. This is all good news for organizations, as the more payment options a customer has, the more likely they are to make a sale.
In 2012 though, total amount of credit card fraud worldwide reached $5.55 billion, making up 40% of all financial fraud.
The Headline Disasters
Data security and data compliance are imperative to the smooth-running of a business' credit card payment operations, whether you're a small retailer or a multinational corporation. Not having proper procedures in place can lead to disaster:
- US credit card processor Heartland Payment Systems saw 130 million of its credit card records stolen in a 2008 hack with the resultant data used to create counterfeit credit cards
- Discount store owners TJX Company spent $250 million dealing with the fallout of a hack that saw over 45 million customer records stolen after the company revealed the theft in 2007
- Credit card cybercrime is still prevalent in 2012 – 1.5 million credit card numbers were stolen from payment processing company Global Payments.
How To Protect Your Organization
If you currently handle credit card payments then you are probably more than aware of PCI DSS (Payment Card Industry Data Security Standards) and all that it entails. If not, then for a quick overview, head here. In essence you are going to need help to get it right, so hiring a consultant will prove a cost effective way to do this.
For many organizations, the use of credit cards is outsourced to a third party and the onus is on the third party to comply. However, for many organizations it is not as simple as it might appear as technology can sometimes be unreliable… and the customer resorts to other means to place their order, with telephone and email being the top two.
If the telephone operator writes down the credit card information (to enter into the system later) ensure that the paper is properly disposed of, for example shredded. If they use an electronic means to store the information, then the credit card information (and the application it is stored in) may well have to comply with PCI DSS.
If email is used, then the email containing the credit card information and the email application itself will probably have to be treated carefully to ensure compliance with PCI DSS and any other industry specific regulations and legislation.
Ensure you have policies and processes for handling credit card information, especially if you are not expecting them.
The #1 rule is to avoid storing cardholder information wherever possible. Minimize the number of applications which store the information and consolidate across the whole organization. Deploy encryption to protect the information wherever it is stored.
Deploy a data loss prevention (DLP) solution to ensure that credit card information is not leaked outside the organization which would cause a data breach. Remember with email, this can be as simple as pressing ‘reply’ to acknowledge the order!
Look at deploying a next generation DLP solution which supports Adaptive Redaction. This can prevent credit card information from leaving the organization without blocking the communication by removing just that information which breaks policy while leaving the rest alone. It can also be used to prevent credit card information from coming into the organization which can be used to prevent the issue becoming a problem for those organizations who never want credit card information inside their network.
Handling the pitfalls
- Without the correct data security and data compliance procedures, organizations can find themselves at risk
- Organizations dealing with credit card details must comply with PCI DSS
- They should avoid storing cardholder information wherever possible
- A next generation DLP solution which supports Adaptive Redaction will ensure that credit card information is not leaked outside the organization.