| In March 2008, Maine-based supermarket chain | | | | high-tech, as are the precautions and defenses. Not so, |
| Hannaford Bros. admitted that credit and debit card | | | | according to Ricardo Harvin, website development |
| numbers were stolen from its systems during the | | | | manager for the U.S. Chamber of Commerce. "Despite |
| authorization transmissions. In what the Massachusetts | | | | the real threat of theft by outsiders," he writes in |
| Bankers Association (MBA) called a "large retail data | | | | Uschambermagazine.com, "in most cases when |
| security breach," over 4 million credit and debit card | | | | company information is stolen, it involved either |
| numbers may have been taken. By the beginning of | | | | someone working for the victimized company or a |
| April, nearly 2,000 instances of fraud had been | | | | nonemployee who has access [to] that data." |
| reported as a result of the breach. | | | | Protecting your customers and their credit card data is |
| "We sincerely regret this intrusion into our systems," | | | | a multifaceted endeavor. Depending on the nature of |
| Hannaford Bros. President and CEO Ronald Hodge | | | | your business, it can include analysis of Web assets, |
| said at the time, "which we believe are among the | | | | database design and administration, network access |
| strongest in the industry." In a "customer Q&A" | | | | control and more. It may seem a daunting task, but you |
| document posted on its website, the company insisted | | | | will go a long way toward safeguarding your |
| that its security measures were "above and beyond" | | | | customers and your business by |
| industry standards. | | | | - cultivating a company environment of alertness and |
| For its part, the MBA released a statement assuring | | | | care; |
| New England consumers "that this was not a problem | | | | - having strict, enforced policies for card processing; |
| caused by banks." | | | | - storing only the data you need, only for as long as |
| The security went "above and beyond." The banks | | | | you need it, and offsite if possible; |
| were not at fault. So who, then, is responsible for | | | | - providing access to customer data only as required |
| protecting the customers' credit card information? And | | | | to transact business; and |
| what exactly were these standards that Hannaford | | | | - maintaining both high- and low-tech security |
| Bros. went "above and beyond"? | | | | measures. |
| You are responsible, period | | | | It is a combination of technology and common sense |
| It's simple: If your firm handles a customer's credit card | | | | that will help your business avoid fraudulent |
| transaction, you are responsible for protecting the | | | | transactions. The role of merchant today is more |
| information. The standards to which Hannaford CEO | | | | complicated, certainly, but you are not alone in this |
| Hodge was referring are embodied in the Payment | | | | challenge. Small-business associations and industry |
| Card Industry Data Security Standard (PCI DSS). | | | | trade groups can be a great source of information |
| For small and medium-size businesses (SMBs), | | | | about what is working for other businesses like yours. |
| compliance costs are proportionately higher than for | | | | And there is one more underutilized tool: pressure |
| Fortune 500 firms, and "regulatory burden" is a familiar | | | | tactics. |
| (and unpopular) concept. However, as a | | | | MasterCard is now publishing the interchange tables, |
| comprehensive standard designed to help businesses | | | | the byzantine formulas and rate structures that set |
| proactively protect consumers, the PCI DSS is a good | | | | merchant processing costs. According to a study by |
| investment. With over $3 trillion in credit card | | | | Amy Dawson and Carl Hugener of Diamond |
| purchases in 2007, there is a lot of protecting to do. | | | | Management & Technology Consultants*, "Once |
| Like other payment processing companies, SecureNet | | | | transparency comes to credit card pricing models ... |
| Payment Systems and Sage Payment Solutions both | | | | merchants will use the information to force an |
| have very "safe" sounding programs, Credit Card | | | | unbundling of interchange fee structures. The |
| Vault and Sage Vault, respectively. The programs | | | | interchange structure as we know it will disappear." |
| allow you to store credit card, electronic check and | | | | (Report is titled, "A New Business Model for Card |
| other sensitive data in a secure, reliable, PCI-compliant | | | | Payments.") |
| environment without having to store this data on your | | | | SMBs can use their aggregate strength to force some |
| local servers. The technology can be seamlessly | | | | overdue revisions of the pricing structure of credit card |
| integrated into your current applications. But the real | | | | processing. Once a candid, open negotiation on these |
| solution involves "low-tech," too. | | | | matters can commence, savings in this area can be |
| First line of defense: awareness | | | | redirected to creating ever safer systems, onsite and |
| In this web-wild, computerized world, it is easy to fall | | | | off, for the protection of your customer's credit card |
| into the trap of thinking that all the thieves' tools are | | | | accounts. |