Saturday, June 9, 2012

Merchant Requirements for Securing Cardholder Information

To protect your merchants, cardholders, and the integrity of the payment system, each of the credit card processing companies has in place a set of requirements governing the safekeeping of account information (UniBul very much included). Following is a brief overview of the most critical aspects of those requirements.

Storage of Cardholder Information
  • Do not store the following under any circumstance:
    • Full contents of any track from the magnetic stripe on the back of the card.
    • Card-validation code-the three-digit value printed on the signature panel of a MasterCard, Visa, Discover Card, JCB, or Diners Club card, and four-digit code printed on the front of an American Express card.
  • Store only that portion of the customer's account information that is essential to your business-i.e. name, account number or expiration date.
  • Store all material containing this information (e.g., authorization logs, transaction reports, transaction receipts, car rental agreements, and carbons) in a secure area limited to authorized personnel.
Destruction of Cardholder InformationDestroy or purge all media containing obsolete transaction data with cardholder information.
Use of Agents or Third Parties (Vendors, Processors, Software Providers, Payment Gateways, or Other Service Providers)
  • Advise each merchant account provider or credit card processing contact (representing each of your card brands) of any agents that engage in, or propose to engage in, the processing or storage of transaction data on your behalf-regardless of the manner or duration of such activities.
  • Make sure these payment processing agents adhere to all rules and regulations governing cardholder information security. Any violation by your card processing agent may result in unnecessary financial exposure and inconvenience to your business.
Reporting a Security Incident
  • In the event that transaction data is accessed or retrieved by any unauthorized entity, notify the merchant services provider or merchant processing contact for each card brand immediately.
  • This report will not only minimize risk to the payment system, but protect your customers in the most responsible manner. Systems and procedures are in place to immediately stop the unauthorized use of compromised data, but are effective only when you (and every small business merchants accounts provider) do your part to promptly report a security incident.

Bookmark and Share

No comments:

Post a Comment