Did that waitress write down the number on that credit card then slip it in her pocket? What about card numbers that are given over the phone when you reserve a hotel room? What’s to keep the person on the other end of the phone from taking the number and selling it?
Visa, MasterCard, American Express, Discover and JCB (Japanese Credit Bureau) have your back. They know your credit and debit card numbers are in danger and have instituted a set of standards to prevent it. The standards apply to any company that processes, transmits or stores credit or debit card information.
In 2006, the card companies created the Payment Card Industry (PCI) Security Standards Council and formulated a new set of standards. Since then, the credit card companies have been implementing and refining the standards. In order to take credit cards from the six participating companies, all merchants, whether big or little, brand new or well-established, have to comply with PCI standards
The standards cover 12 requirements in six general areas. They cover physical and virtual security, the use of encryption, the management of anti-virus software, implementation of a ‘need to know’ security setting, access and password management, periodic testing of security systems, the dangers inherent in off-the-shelf software and the use of the personal identification number (PIN).
The PCI created procedures as well as standards. They require each bank or merchant to perform internal and external scans quarterly to check for vulnerabilities. The scan is performed by software that checks for the presence of known vulnerabilities. Scanners can look for open ports, problems with usernames, vulnerability to attacks through the browser and the presence of computer worms. If the scan finds a vulnerability, the bank or merchant has to address as quickly as possible then rescan. Any bank or merchant that fails a vulnerability scan won’t be in compliance until they pass four more quarterly scans. The council is serious about compliance. They set up a series of fines that range from $5,000 to $100,000 each month.
The procedure a new company has to go through to qualify as PCI complaint requires them to inform the PCI of their level of involvement in processing credit cards, complete a self-assessment questionnaire, pass a vulnerability scan if their computer system is connected to the internet and legally attest that they are compliant with PCI standards.
Fraud isn’t easy to detect or predict although merchants and banks have some common sense safeguards. For example, the merchant might require that the purchaser show a form of identification with a picture on it. This is effective if the card in question has simply been stolen. Unfortunately, sophisticated thieves often have forged identity cards. Purchases over the internet or through mail-order have few safeguards. Shipping companies rarely ask for picture identification when delivering a package. Internet and mail-order companies have developed some security by only allowing the delivery to take place at the address on file with the card holder. Some bold thieves had circumvented this step by ordering something with a stolen credit card, watching the house, waiting until the delivery man leaves then walking up to the porch and taking the package.
If you suspect that a merchant that took your credit card wasn’t being honest, you can call a toll-free number on the back of the credit card. For further information on the PCI, visit their website.
Additional sources:
PCI Compliance Overview
PCI Compliance Guide
