Credit Card Processing Companies Risk Exposure

Merchants and credit card processing companies who store magnetic stripe information provide fraudsters with an appealing and vulnerable platform from which to collect sensitive account information. As the very essence of mag-stripe information theft keeps evolving, so does the requirement for retailers to continually strengthen their security controls and greatly limit their exposure to data compromise risk.

How Credit Card Processing Companies Can Limit Risk Exposure

• Achieve PCI compliance. Merchants should work with their credit card processing companies to understand their data security role and what is required in regard to PCI compliance.
• Do not keep mag-stripe information after obtaining transaction authorization. The entire contents of track data, which are read from the magnetic stripe by the POS device, must not be stored on any system after an authorized is received. If kept in a PCI-compliant fashion, the account number, "Good Through" date, and customer name are the only pieces of track data that can be stored.
• Examine your current or pending payment applications. Perform a thorough evaluation of all such applications to ensure the non-storage of mag-stripe data. Verify the security of these applications using Payment Application Best Practices (PABP), which can be obtained from your credit card processing companies.
• Report any account breach immediately after discovering it. If you suspect that such an event has taken place, alert all involved parties right away. Send a list containing all compromised card account numbers to your credit card processing companies within one business day. Keep in mind that the sooner you notify your bank for an account compromise, the sooner you shut the door closed for any counterfeit fraud and minimize your exposure.
• Understand your liability for information security issues. Many merchant processing services contracts explicitly hold the retailers liable for any losses resulting from compromised account data if the retailer (and / or its service provider) lacked sufficient data security capabilities.

In the end of the day, an extra effort in prevention can go a very long way, as any costs that retailers and credit card processing companies expend up front to protect mag-stripe data are most likely going to be far lower than what they could end up paying in overall liability for data compromises.

Acquirers are liable for no more than 80 percent of the total number of card accounts implicated in a mag-stripe data compromise. The remaining 20 percent is the rough percentage of accounts that typically will need little or no work by the issuers.