Securing credit card information
05/03/2012

Protect your business against breaches

Many rental stores worry about getting paid, paying credit card processing fees or other payment issues that affect their bottom line. However, the biggest concern these days in payment may well be security breaches. To prevent identity and financial theft, taking precautions to ensure the security of credit card information is essential. The ultimate goal is to make sure you aren’t storing any credit card information even when you swipe a card.

“Nothing has changed more in the rental world than credit card payment processing. The retail world in general has been rocked by a string of credit card frauds and breaches that have affected even the largest and most secure institutions. In response, new PCI (Payment Card Industry) security regulations have been issued frequently in the last few years, making compliance a moving target for everybody involved,” says Rob Ross, president, Alert Management Systems, Colorado Springs, Colo.

Lauren Dorman, vice president of product development, RMI Corp. Avon, Conn., agrees. “The market for stolen credit cards and personal information is astounding and it can happen to anyone. With that in mind, the goal of the rental company is to protect sensitive information from potential hackers or unethical employees. Organizations such as the PCI Security Standards Council, Wakefield, Mass., (pcisecuritystandards.org) have outlined comprehensive standards to protect and secure what data can be stored, transmitted and processed,” Dorman says.

“When comparing payment solutions, you should only evaluate those that been audited and certified as having employed the highest levels of security and encryption. Look for payment solutions which carry the PCI DSS (Payment Card Industry Data Security Standard) medallion. These solutions deliver peace of mind that you’re protecting your customers and business from harm while streamlining payment processing and increasing cash flow,” she says.

“Many rental stores are facing more frequent audits as well as surcharges and penalties for noncompliance,” Ross adds. “They have been required to upgrade software and even hardware — especially routers and devices that control networks across multiple stores. The PA-DSS (Payment Application Data Security Standard) questionnaires for merchants ask increasingly sophisticated questions requiring IT skills and implying liability for inaccurate answers. Meantime, the PCI Board continues to make new rulings in response to new breaches.”

Jeff Knoepke, vice president of client care at Alert Management Systems, says everything can come under review. “In addition to a sophisticated encryption system, the entire computer network comes under scrutiny. Everything from password rotation policies to who has access to the system is dictated by the PCI standards. That’s why it’s important to be able to store the credit card data in a secure, third party vault.”

Ross says the first place to look for breaches in security is at the register. “Best practices start at the rental counter. Regardless of the software you use, you need to make sure your staff is not ‘keeping notes’ of credit card numbers and associated information in unsecure places. Secondly, if your software allows you or anyone in your organization — regardless of password level — to see all 16 digits of any credit card, your software is now obsolete and needs to be upgraded. Only the last four digits may be viewed in their human-readable form.”

Larry Weeman, Event Rental System/Party Track, Sahuarita, Ariz., says this kind of thing can happen in rental stores even without intent to harm.

“More businesses of all types are paying closer attention to the need to protect credit card information and the rental industry is no different. This is good news and we will see much more adoption of policies and procedures required for businesses to become PCI-Compliant over the next few years,” Weeman says.

Securing your data

Clark Haley, CEO of Automated Rental Systems, San Antonio, has written
several articles about data security for his blog at bcsprosoft.com. Under
“Select A Category,” click on “Clark’s Blog” to read his tips and advice on a variety of topics.

“Still, it is hard to change the way you manage your business and to break away from old ways of doing things. It is also hard to accept taking more time to accomplish tasks just to be compliant. As an example, if you need credit card information from a customer, it is really efficient to send them an email requesting their credit card information. Many people do not really understand that when you put your card information in an email, it is not secure and that the email may be stored on several servers as it makes the electronic trip over the Internet from their computer to yours,” he says.

Ross says rental stores that process cards on a separate physical terminal provided by a bank or processor need to find out if the hardware device is up to date. “If you have an integrated (PCI-Compliant) credit card system, ideally, it should not store cards in any form on your computer system, so your store has the maximum protection with the least amount of regulation of your physical network. State-of-the-art systems from industry leaders are the best bet in today’s environment. For example, Alert uses PAYware Connect from VeriFone Systems, San Jose, Calif., which only stores cards in a secure ‘cloud’ environment. Companies like VeriFone have the resources and technology to keep up with ever-increasing security requirements,” he says.

As a result of increasing security issues, Ross says, “it will be increasingly difficult for small businesses of any kind to justify the risk and regulatory hassles of maintaining credit card information on their own computer systems, particularly now that there are ultra-safe, low cost ‘cloud-based’ alternatives available. After all, even major institutions with the latest encryption technology have been victimized by credit card fraud. The ultimate peace-of-mind comes from knowing you cannot be targeted because you simply do not store any credit card information.”

— Whitney Carnahan


Complying with the Red Flags Rule

As identity theft becomes more prevalent, small- and medium-sized businesses are becoming more frequent victims of data breaches. In response to this ever-increasing risk to sensitive customer information, the federal government has passed laws requiring certain types of companies to protect information they collect in the course of their business transactions.

Though many business owners understand the responsibility they have to protect customer data, these obligations were originally spelled out in the Fair and Accurate Credit Transactions Act (FACTA). Low response to FACTA resulted in the Red Flags Rule amendment, which increased liability and related fines for noncompliance while providing more direction and guidance for businesses. The Red Flags Rule went into effect in May of 2008, but enforcement was delayed until Dec. 31, 2010, in order to allow time for businesses to reach compliance.

The Red Flags Rule applies to businesses that are considered financial institutions or creditors under the Federal Trade Commission’s (FTC) broad definitions. Financial institutions include banks, savings and loan associations, credit unions and any other business that directly or indirectly holds customer transaction accounts.

Many equipment rental companies fall into the “creditor” category, which includes businesses and organizations that do any of the following regularly and in the ordinary course of business:

  • Provide goods or services upfront and collect payment from customers later.
  • Grant or arrange for loans or the extension of credit, or make credit decisions.
  • Participate in the decision to extend, renew or continue credit, including setting the terms of credit.
  • Obtain or use consumer reports in connection with a credit transaction, or furnish information to consumer reporting agencies in connection with a credit transaction.
  • Advance funds to or on behalf of another party, except funds for expenses incidental to a service provided by the creditor to that person.

Simply having shredders, locks and password protectors in place isn’t enough. In order to be considered in compliance with the Red Flags Rule, businesses must:

  • Develop a written Identity Theft Prevention Program, detailing how the business will address indications of suspicious activity (red flags).
  • Train employees to be in compliance with the program.
  • Update the program and provide additional training in response to any new red flags, revised business practices or changes in the way thieves steal information.
  • Appoint a senior level manager to oversee the program.
  • Ensure related service providers also have a program.

An Identity Theft Prevention Program is a written plan that must include reasonable policies and procedures for detecting, preventing and mitigating identity theft. An effective program should:

  • Identify relevant patterns, practices and specific forms of activity that signal possible identity theft.
  • Incorporate business practices to detect red flags.
  • Detail an appropriate response to any red flags in order to mitigate identity theft.
  • Be updated regularly to reflect changes in risk related to identity theft.

More information is available online at ftc.gov/redflagsrule.

— Sarah Peterson