Life in 2018 is busy. I know, Im right in the thick of it. The thing that just nags the most? Bills. Call me crazy, but I still make payments manually on a regular basis. Then there are some payments I just leave to the autopay overlords. As much as I like being in control, theres something satisfying about having that bill paid on its own. A small amount of pressure swept away from a busy life.
Recurring Autopay Transactions
It is fairly easy, once a person gets a new debit card or credit card to set up a monthly bill to be paid automatically. Most credit companies will advertise their autopay using words like convenient, secure, economical, easy, free. The majority of those can easily be dissected and determined to be true or not. Its definitely convenient and is almost always free, but what about being secure? How can consumers know if their credit information will be handled properly by those companies that they set up an automatic credit card payment with? The answer is almost as easy to find as it was to set up that payment plan. The short version is that as long as the company is PCI compliant and verified, a consumer can be assured that the security standards are met and the credit or debit card data will be safe.
Storing Credit Card Information
When a business is involved in recurring autopay transactions, the easiest way to store credit card numbers is electronically, rather than physically. Having physical copies of the information only increases the likelihood of theft. Even having electronic storage can lead to stolen data if the files are not encrypted. Having the data encrypted means that it is unreadable without the cryptographic keys. Seemingly the most secure way is through a service provider. Companies can have their customers data stored by a service that specializes in data security. The process used is called tokenization and it involves assigning a token for credit card numbers. The merchant can store the electronic tokens in a file on any computer and not be anxious about having that data stolen. The token can then be used by the merchant to access the data that is assigned to that token. There are a variety of providers, merchants need to make sure that the one they choose is PCI compliant.
What Does It Mean To Be PCI Compliant?
For merchants who accept payments via credit card, pretty much everyone nowadays, what are some of the security standards that need to be followed? PCI DSS stands for Payment Card Industry Data Security Standard, a set of standards established by the PCI Data Security Council over a decade ago. These guidelines ensure that the merchants are taking the proper steps to protect consumer information in the form of credit card data from harmful third parties.
For instances of autopay, a company charging a customer on a scheduled basis, credit card information needs to be stored and used to complete an autopay transaction. What are companies allowed to store? According to PCI DSC the cardholder data such as the Primary Account Number (PAN), cardholder name, service code, expiration date are acceptable to store. However, the full magnetic stripe data (data encoded on the magnetic stripe or chip of the card), CAV2/CVC2/CVV2/CID (the three or four digit authorization code on the back of most cards), and PIN/PIN Block are not acceptable to be stored once credit card verification has taken place. These verification codes allow businesses to know that a physical card is present in the case of over the phone or online purchases.
So in order for a business to be PCI compliant for recurring autopay credit card transactions, they would gather all of a consumer’s credit card information and authorize it. Once that transaction happens the cardholders data can be stored. There would be no need to store the sensitive authorization data after that point. From there the card can be charged for recurring transactions.Thats beneficial for both the merchant and the cardholder, the merchant doesnt have to worry about storing the data and the cardholder doesnt have to worry about their authorization data being stolen.
PCI Requirements:
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Protect all systems against malware and regularly update antivirus software or programs
- Develop and maintain secure systems and applications
- Restrict access to cardholder data by business need-to-know
- Identify and authenticate access to system components
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information security for all personnel
Compliance Levels
In addition to there being standards that businesses must base their physical and cyber security off, there are levels to those standards. Afterall not every merchant is equal, in the golden age of the internet, there are small businesses that run everything from their home to giant corporations. They are equal in at least one area, if they are handling consumer credit card information they must be PCI compliant. Some small businesses, especially online ones, pass credit card payment to another site such as Paypal, in which case wouldnt need to store any credit card data. For everyone else there are four levels of compliance listed numerically as merchant levels. It should be noted that these are general compliance guidelines and each brand (Visa, Mastercard, etc.) has their own criteria. For example, here are the compliance requirements and validation for each merchant level from Visa brand:
Merchant Level 1 includes any company with 6 million or more transactions per year and those that have had a data breach resulting in compromised data.
Requirements:
Every year:
- File a Report on Compliance (“ROC”) by Qualified Security Assessor (“QSA”) or Internal Auditor if signed by officer of the company. We recommend the internal auditor obtain the PCI SSC Internal Security Assessor (“ISA”) certification.
- Submit an Attestation of Compliance (“AOC”) Form.
Every quarter:
- Conduct a quarterly network scan by an Approved Scan Vendor (“ASV”).
Merchant Level 2 consists of any company processing 1 million to 6 million transactions per year.
Requirements:
Every year:
- Complete a Self-Assessment Questionnaire (“SAQ”).
- Submit an Attestation of Compliance (“AOC”) Form.
Every quarter:
- Conduct a quarterly network scan by an Approved Scan Vendor (“ASV”).
Merchant Level 3 is any company having 20,000 to 1 million transactions annually.
Requirements:
Every year:
- Complete a Self-Assessment Questionnaire (“SAQ”).
- Submit an Attestation of Compliance (“AOC”) Form.
Every quarter:
- Conduct a quarterly network scan by an Approved Scan Vendor (“ASV”).
Merchant Level 4 is any merchant with less than 20,000 transactions annually.
Requirements:
Every year:
- Complete a Self-Assessment Questionnaire (“SAQ”).
- Submit an Attestation of Compliance (“AOC”) Form.
Every quarter:
- Conduct a quarterly network scan by an Approved Scan Vendor (“ASV”) (if applicable).
Noncompliant Penalties
Any company that accepts American Express, Discover, JCB, MasterCard, and Visa needs to be PCI compliant. These are the major credit brands that established the Data Security Council. They can hand down penalties to the merchant banks who can in turn hand off those penalties to their merchants. Penalties for acquiring banks can be as much as $100,000 per month for non-compliance. That might not seem like much for a large corporation, but it could be enough to cripple a small business. PCI compliance isnt a law, but the penalties make it worth it for companies to follow. Not only does compliance protect against fines, but the added security protects a companys reputation and most importantly their customers.
Those are the costs for a company being found non-compliant, but what about if a company is suspected of having a data breach? A team of PCI-DSS certified forensics security examiners is brought in to examine a companys business practices. A merchant can expect the following during this process:
- A security policy reviewyour security policies will be thoroughly reviewed and evaluated.
- An internal network vulnerability assessmentevery computer/server/network service will be tested for thousands of security weaknesses.
- Penetration testingif you have an IP connection, your network perimeter will be reviewed and evaluated. Next, a complete vulnerability assessment will be conducted. Then, the examiners will manually attempt to penetrate the perimeter.
- A manual computer inspection all of your equipment (server, workstation, firewall, router, etc.) will be tested manually to ensure it is running the appropriate software versions, and then all virus software and other critical software components will be manually inspected.
- Wireless security testingif any computers in your network have wireless access, the examiners will look for wireless accessibility to unauthorized computers and data.
- Phone line testingyour corporate phone system will be searched for listening modems and other potential security weaknesses.
All of this can take as long as several weeks and that means that business comes to a halt while the examination takes place. The cost of this alone can be anywhere between $8,000 to $20,000 for level 4 merchants. The consequences for an actual breach of consumer data is as follows:
- $3 to $10 per card for replacement costs
- $5,000 to $50,000 (or more) in compliance fines
- Additional fines based on the actual fraudulent use of the cards, which will vary depending on the number of cards exposed
In addition to action taken by the PCI-DSS, there is a chance a data breach could result in consumers taking action of their own in the form of lawsuits. One of the more recent instances of a big retailer running into a data breach, was Target. Hackers stole card information as well as card verification codes. The breach affected 41 million customer payment card accounts and the contact information for 60 million. The result was the largest settlement for a data breach ever, $18.5 million. The other requirements for the large retailer were:
- Develop, implement and maintain a comprehensive information security program
- Employ an executive or officer responsible for executing the program
- Hire an independent expert to conduct a security assessment
- Maintain and support data security software on the company’s network
- Segregate the cardholder data from the rest of the network
- Take steps to control network access, including password rotation policies and two-factor authentication.
The cost of experiencing a data breach is high and it takes a great deal of effort to rebuild consumer confidence after such an event. The best thing is to remain PCI compliant, that is the quickest way to stay protected and secure against something like this.
Recap
Consumers use recurring autopay transactions to conveniently pay bills in an increasingly busy world. Merchants offer autopay because it means that they have regularly scheduled payments coming in. In order to offer autopay services, merchants need to store credit card data for the consumer. Storing that data must be done according to PCI DSS in order to ensure that merchants are PCI compliant. Card verification codes can not be stored, only basic cardholder information. Merchants must remain PCI compliant as long as they are storing cardholder data. Failure to do so results in possible fines.
References:
https://www.PCIcomplianceguide.org/faq/#1
https://www.PCIsecuritystandards.org
https://usa.visa.com/support/small-business/security-compliance.html
https://www.usatoday.com/story/money/2017/05/23/target-pay-185m-2013-data-breach-affected-consumers/102063932/
Download Our PCI DSS Checklist
Assess where your organization currently stands with being PCI DSS compliant by completing this checklist. Upon filling out this brief form you will receive the checklist via email.
About RSI Security
RSI is the nation’s premier information security and compliance provider dedicated to helping organizations achieve risk-management success. We work with some of the world’s leading companies, institution and governments to ensure the safety of their information and their compliance with applicable regulation. We also are a security and compliance software ISV and stay at the forefront of innovative tools to save assessment time, increase compliance and provide additional safeguard assurance. With a unique blend of software based automation and managed services, RSI can assist all sizes of organizations in managing IT governance, Risk management and compliance efforts (GRC).