Credit Card Processing Security Issues

With millions of consumers worldwide using credit cards to pay for products and services, the issue of secure transactions is a big concern.  If the wrong person obtains your credit card information you may become the victim of fraud or identity theft which start a lengthy process full of losses and stress which only a nepenthe could relieve.  For this reason, all things associated with credit card processing must be secure. Protecting your personal data begins at home and with responsible credit card management, however once you hand over your card for processing, other security measures should kick in.

The average consumer doesn’t spend much time thinking about what happens once a credit card is presented for payment.  What we do know is that somehow money from our account is transferred to the merchant’s account.  Credit card processing is actually fairly simple, however it does require the participation of several parties to ensure credits and debits balance out.  With this in mind, one might wonder just how safe is payment processing?

Credit card fraud and identity theft?

With credit card fraud and identity theft an ongoing concern for merchants, card issuers and consumers – secure processing is a top priority.  When private information falls into the wrong hands the only party who wins is the thief.  Merchants stand to lose the most money with credit card issuers coming in second and consumers having the most protection against fraud.  Conversely consumers are hit the hardest when they become victims of identity theft.  As a result, the credit card processing industry has very specific security measures in place to prevent and reduce instances of credit card fraud and identity theft.

Security measures

To ensure all parties are on the same page regarding security, a set of requirements has been established.  The Payment Card Industry Data Security Standard (PCI DSS) provides detailed requirements which must be maintained by all companies processing, storing or transmitting credit card information.  Any company that violates industry requirements for security may be fined from $5,000 to $100,000 per month.

PCI Compliance

A frequently asked question regarding PCI requirements is who has to be compliant?  Each business using credit card processing must determine on what level they must be complaint.  There are different levels for different merchants based on how credit card data is processed, transmitted and stored.  Therefore all companies involved in credit card processing must comply with PCI standards on some level, however what level depends on the type of business.

The credit card processing security online relies on two main security systems;  the “AVS” and “CVV” numbers.  Both of these systems allow consumers to enter their credit card details online with higher levels of protection if retailers require both forms of information from their customers when accepting credit cards as payments.

The “CVV”: Card Verification Value

On the back of a consumer’s credit card is a three or four digit number, known as the card verification value.  The number is not found on a credit card statement, which means that an individual asked to enter the CVV when making a payment would have to have the card in his or her possession, and not just a credit card statement found in the trash.  Many types of identity fraud and fraudulent credit card purchases are prevented by requiring the card verification value to process the credit cards, because most online credit card fraud is the result of an individual stealing a thrown-away card statement or receipt.

If an incorrect CVV is entered during the check out process, the credit card is declined and the owner of the card is protected against fraudulent purchases.

The “AVS”: Address Verification Service

Another method to reduce credit card fraud and improve online security for credit card processing is through the use of the AVS – Address Verification Service.  This security measure checks that the address a customer enters into the order form when trying to pay for a purchase with a credit card matches the billing address associated with that credit card.

Unlike the CVV process, the address verification is not a required step for customers to place an order.  It is up to you as the retailer to decide whether or not you will require an address entered by a shopper match the address associated with the credit card account.  When a customer enters address details, your credit card processor will send you an email to show you whether the address matches the billing address of the card.

If an address is entered that does not match the address associated with the credit card account, the purchase is not automatically denied as is the case with an incorrect CVV number.  Instead, it is left up to the retailer to decide if they want to process the sale as-is, or require the buyer provide additional information or re-enter the address to see it matches – to ensure they are the owner of the credit card before the transaction is completed.

Security measures by major credit card companies

1. Visa

The security standard established by Visa is known as CISP or Cardholder Information Security Program.  Merchants accepting Visa must adhere to these standards or risk losing the ability to process these cards.  Along with MasterCard, Visa is a founding member of PCI DSS.  All merchants must comply with these security standards and any processor or financial institution with which they do business must comply as well.  This ensures each transaction is secure from beginning to end.  Detailed information regarding CISP can be found online.

2. MasterCard

Merchants accepting MasterCard will be issued a manual outlining procedures and rules governing credit card processing and security.  It is important for all merchants to understand and follow the rules in place.  Failure to do so may result in a penalty of $100,000 per violation.  All data containing cardholder information must be secured, processed and stored as outlined in the merchant manual.

3. Discover

Discover uses a system called DISC (Discover Information Security and Compliance) to determine if merchants are complying with PCI standards.  Failure on the merchant’s behalf to meet these standards in their processing of credit cards may result in the merchant no longer being allowed to accept Discover.  Merchants are also encouraged to comply with PA-DSS (Payment Application Data Security).

4. American Express

Merchants accepting American Express may only store credit card records for two years after submitting records to American Express.  After 24 months have passed, the information must be destroyed, in the interim it must be stored securely.  Merchants are prohibited from sharing credit card or account holder information to parties not named in the merchant agreement.  Merchants must ensure the credit card processor they use also complies with American Express security regulations.

Merchants and consumers can learn more about security issues, concerns and procedures by visiting any of the four major credit card association websites.  Card holders who feel their information has been compromised or handled improperly by a merchant or a third-party associated with the merchant should contact their credit card issuer.  Merchants are strongly advised to follow all security measures in place to continue accepting credit cards from the major associations.

Consumer tips

Security measures for credit card processing are the first step in the fight against credit card fraud.  Consumers must also know how to protect their credit card information before and after a transaction has been processed.  The first step in securing credit card information is limiting the number of people who have access to account information.  Credit card receipts and statements should be stored securely and discarded properly.  Never provide credit card information in response to unsolicited requests via phone, email or mail.  When making purchases online, always use a secure website or consider using a virtual credit card number.

Posted on Sunday, January 2nd, 2011