Protecting the Numbers II

July 1, 2005

Know Who You’re Buying From
The second step is to make sure that the people you buy from are protecting your information. Question any request beyond what’s needed to complete the transaction.

Let’s face it, they really don’t need your social security number for most transactions, and you shouldn’t give it to them. And of course, you should be careful about who gets your number. That waiter who takes your card to the back room is a much bigger threat of theft than nearly anything on the Internet.

If you’re a merchant, either online or in a physical store, it’s up to you to be the first line of defense in protecting customers. Fortunately Visa and MasterCard have issued a set of security standards called the Payment Card Industry Data Security Standard.

The standard requires compliance with what are in reality some basic security practices. Companies that don’t meet these standards by July 1 risk losing their ability to accept MasterCard and Visa. This means that you’ll have to take a few steps you probably are (or should be) taking already.

For example, if you’re an online merchant, you must have a firewall between your computer and the outside world. You must encrypt all customer and credit card information using products such as SafeBoot from Control Break International (www.controlbreak.com) or even the more basic encryption offered within Windows. And you must take basic steps listed in the PCI standard, including such things as changing default passwords in firewalls, routers and computers. If you’re a Visa or Master Card merchant, your bank should have already given you a copy of these requirements.

But the standards are just a first step. You can also make your customers more willing to buy from you if you adopt business practices that protect their interests. If you’re selling over the Internet, for example, you must use a secure Web site for credit card transactions. While there’s no evidence that a credit card number has ever been stolen while being transmitted over the Internet, there’s no point in taking a chance.

You must also avoid the temptation to hang on to credit card numbers and personal data unless you’re prepared to go to the trouble and expense required to protect them as well as your customers’ banks do. You’re much better off if you simply purge all personal and credit card information as soon as you can. After all, nobody can steal what you don’t have.

And if you ask for personal information, you must be prepared to explain why you want it, and then be willing to do without it if your customer doesn’t want to tell you. Yes, it helps your marketing department to know everyone’s ZIP code, but do you really want to lose a sale if it’s not forthcoming?

You must also make sure that your handling of customer information is secure. That means you have to carefully restrict who has access, and you must monitor what they do with it. Remember, if your staff is keeping copies of credit card numbers, either through a device that reads the magnetic strip (using a device about the size of a Palm Pilot, with a magnetic stripe reader) or by keeping extra copies of receipts, it’s your fault, and you’ll suffer the liability impact. And of course, you need to get your card issuer to set up your receipt printer so that it doesn’t print the whole credit card number on the receipt.

Right now, online customers are scared. They want to do business with shops in person or online, but they don’t want their money or their identities stolen, and who can blame them? Merchants need to be able to show consumers, through use of secure processing systems, good management techniques and actions, that they can trust the store. But you also need to make it easy and convenient for customers to protect themselves, and that means not asking for information you don’t need, or keeping information when you no longer need it.

Customers will eventually come to realize that it’s not the Internet that they should worry about, but rather companies whose security practices are not up to snuff. You might not be able to do much about other companies, but at least you can work with your customers, and make it so your customers can work with you, to ensure your end of every transaction is as secure as it can be.

Posted in Tech News