It’s time for the acquiring industry to think about security in broader terms, a compliance and breach reporting vendor says.
For many ISOs, security begins and ends with the Payment Card Industry data security standards, says Ross Federgreen, founder and chief innovator for Jensen Beach, Fla.-based CSR, or Compliance Solutions and Resources.
“It’s a great place to start, but it’s not the be-all and the end-all,” Federgreen says of PCI standards. “They should be looking beyond that.”
PCI was designed to protect credit and debit card numbers, but those numbers represent just one of the five key elements of personally identifiable information, or PII, Federgreen says.
Besides card data, ISOs’ customers are storing PII that might include Social Security numbers, driver’s license numbers, dates of birth, health records, routing numbers and other bits of information, he notes.
Just about any business controls such data gleaned from employees, vendors, and clients or customers, Federgreen says.
“You name it, they’ve got it,” he says of businesses’ cache of PII.
That means businesses are exposed to the risk of data breaches outside the realm of PCI protection of credit and debit card numbers, Federgreen contends.
In fact, just 4% of data breaches involve card numbers, he says.
Explaining that situation and offering help with data security that goes beyond PCI could help ISOs and agents sign up and retain merchants, Federgreen suggests.
“If a sales agent goes in to a merchant and says, ‘PII,’ they’ll get a blank stare, but if they say, ‘identity theft,’ they’ll get a positive response,” he says. “That’s key to it.”
CSR practices what it preaches. The company has expanded its work from just payments and PCI compliance, adding capabilities in PII and data management, Federgreen says.
To that end, the 14-year-old company has been participating for five or so years in activities with the International Association of Privacy Professionals. ThePortmouth, N.H.-based association broadens the staff’s understanding of privacy and data management, and a number of staff members have earned the association’s professional credentials.
The association provides CSR with education through meetings, courses and symposia; networking with privacy experts from outside the payments industry; recognition for its innovation; and entre to markets outside the United States, Federgreen says.
That expansion beyond PCI has resulted in creation of CSR’s Breach Reporting ToolKit, which was introduced in April 2011 at the Electronic Transactions Association Annual Meeting & Expo. More than 100,000 merchants have signed up for the product, and it’s successfully handled more than 100 breaches.
When breaches occur, businesses are required to report the incident to a multiplicity of local, state and federal governments and agencies within a short time period.
In an extreme case, the Breach Reporting ToolKit informed more than “four dozen” entities in the United States and Canada when a bag full of financial and health records disappeared from the motorcycle of a tattoo artist with a shop near Niagara Falls, N.Y.
Many breaches require reports to a dozen or so entities, Federgreen says.
CSR has staff members who work full-time keeping up with changes in reporting requirements, he notes.
And their efforts apparently have paid off. The Breach Reporting ToolKit won the International Association of Privacy Professionals 2012 privacy innovation award and recently earned a patent.
The product's success has boosted sales of the company’s PCI ToolKit because customers that buy the reporting product later pick up the PCI compliance product, he says.
Early next year, the company plans to release a third product to help handle duties under HIPAA, the Health Insurance Portability and Accountability Act.