Keeping members’ credit card numbers on file may be riskier than you thought.
Does your association electronically handle, process, or store members’ debit or credit card information? If so, pause for a moment and ask yourself, “Why?”
Your answer to that question is critical because the costs of handling members’ sensitive financial information can far outweigh the benefit. The “cost” is the price of keeping financial data secure and complying with data security laws and standards. Even more costly could be the consequences of not complying with security laws.
For example, TJX Companies Inc. (the parent company of several chain stores, including TJ Maxx and Marshalls) paid out $140 million to settle class-action suits after hackers breached the company’s computer network and obtained customers’ credit card numbers and other information.
Following the TJX breach, the five major credit card brands (Visa, MasterCard, American Express, Discover, and JCB International) joined forces to create the Security Standards Council to address threats to credit card information and to help merchants avoid TJX-like liability in the future.
Although compliance with the council’s Payment Card Industry (PCI) Data Security Standard is not required by law, it is enforced by individual payment card brands that may impose financial or operational consequences on noncompliant merchants, including stiff fines and transaction suspension. (Of course, each state has its own laws. For more, visit REALTOR.org/LetterLw.nsf/pages/1205didknow.)
From class-action damages to noncompliance penalties, financial data security is serious business these days.
Why You Need to be Concerned
Even if your association does not accept payment card transactions, PCI compliance may still be of interest to you. Electronically storing credit card information in any format may lead to potential liability. If, for example, your association keeps a spreadsheet of its officers’ credit card information for the convenience of booking reservations, then your association has assumed liability for the security and protection of that information.
The PCI standard requires merchants to implement 12 account-protection mechanisms, including encryption, vulnerability scans, and firewalls and antivirus software. These requirements are listed and explained on the council’s Web site, www.pcisecuritystandards.org.
Although outsourcing the processing, transmission, or storage of credit card data to third-party service provides, such as PayPal, Click Bank, or iBill, will relieve association of much of the burden of PCI compliance, you still will have compliance responsibilities. Service providers must validate their compliance with PCI requirements, independent of their customers’ audits, but, associations also must complete compliance reports detailing the role of the service provider. As an added precaution, associations should be sure that service-provider contracts obligate the third party to comply with PCI standards.
Many associations use the National Association of REALTORS®’ Ecommerce Network as a third-party service provider for online payments, convention registrations, and REALTOR® store purchases. As a third-party service provider, and as a merchant, NAR’s Ecommerce Network maintains PCI compliance.
Since PCI compliance requires not only implementing the security standards, but also proving that you comply with those standards, associations should first determine the level of compliance necessary. Your association doesn’t need to have the same security measures and checks in place as -Target.com, for example.
At a minimum, Visa and MasterCard merchants must complete a PCI DSS Self-Assessment Questionnaire annually and conduct a quarterly network security scan with an Approved Scanning Vendor (ASV) (questionnaire and vendor list available at www.pcisecuritystandards.org).
The council’s Web site has a host of helpful information and instructions on becoming compliant. In addition to using these tools, each association subject to the PCI standards should contact its acquirer bank and third-party service provider, if applicable, to ensure that its equipment and -procedures are PCI-compliant. Furthermore, -buying and maintaining PCI-compliant software and hardware may be the most important step an association can take toward compliance.
The following list contains suggested steps asso-ciations can take toward PCI compliance:
• Contact your acquirer bank about additional -resources and information it can provide.
• Contact a qualified consultant listed on the PCI Council’s home page to assess your association’s need and request an estimate.
• Identify the individuals who will be responsible for PCI compliance at your association, and assemble a team that includes members from each compliance area.
• Limit the PCI scope by identifying all the systems, applications, and devices that process, transmit, or store cardholder data and then -assess whether retaining sensitive cardholder data is worth the risk. Sometimes, especially in the case of older systems, managers may not be aware that sensitive data is being retained.
• Create, communicate, and implement a clear business policy for your employees on handling financial data. Update employees regularly on new or different measures to ensure PCI compliance.
• Remember that you may be audited, so keeping good records that illustrate your PCI compliance and validation will ensure that your company remains in good standing with the credit card companies.
• Implement a response plan to address deficiencies discovered during the assessment or scan. This plan should define a breach and detail whom to contact and what to do when one is discovered or suspected.
• Oversee all IT decisions regarding how your organization will comply with the PCI requirements.
• Avoid using default passwords. Lists of passwords for common programs are on the Internet and can be used by hackers or other criminals.
Now that PCI standards are in place, it is easier for merchants to reduce the risk of a breach . . . and limit potential liability. Depending on the way your network is set up and the number of trans-actions you process, you may want to rely on your IT -professional to validate compliance, or you
may want to hire a consultant to assess and scan your network. The cost of hiring a third-party consultant could range from $2,000 to $8,000 or more.
Still, using a third-party vendor to process all of your association’s credit card transactions may be the safest option. Although third-party vendors, such as PayPal, charge a transaction fee, it’s a small price to pay considering that they bear the burden of PCI compliance, not to mention keeping your members’ credit card information secure.
Katherine Raynolds is a staff attorney with the National Association of Realtors® in Chicago. She can be reached at 312/329-8372 or firstname.lastname@example.org.