Lost yet? Well, it turns out that the politicians and various credit card companies each tackled the problem of credit card security separately.
Payment Card Industry Data Security Standards
PCI stands for Payment Card Industry - an association that reflects the combined interests of VISA, MasterCard, Discover, American Express, and JCB to promote financial data security standards. Prior to publication of the PCI Data Security Standards in September 2006, each card brand managed their own set of requirements. I first implemented VISA's Cardholder Information Security Program (CISP) in 2001, and Certain had maintained compliance with it ever since. We were about to embark on MasterCard's program (Site Data Protection or SDP) when the PCI Standard was announced, which obviously saved a lot of time and money for online vendors who accept multiple credit card types.
We fall into the "Level 2" category for PCI Compliance, for processors with between 150,000 and six million annual transactions. Nevertheless, we plan to grow and want to be as secure as practical, so we opted to achieve Level 1 compliance.
There are six categories of PCI compliance security standards, with 12 broad requirements. I'll cover these details another day, but if you want to read ahead there's always the PCI Compliance Guide.
FACTA and Your Taxpayer Dollars at Work
While the five major credit card brands were solving the problem of data security in a way that made business's lives easier, in 2003 Congress passed the Fair and Accurate Credit Transactions Act (FACTA), an amendment to the Fair Credit Reporting Act (FCRA).
Section 113 of FACTA (don't follow that link!) took effect in December 2006, three years after the amendment was passed into law.
SEC. 113. TRUNCATION OF CREDIT CARD AND DEBIT CARD ACCOUNT NUMBERS.
Section 605 of the Fair Credit Reporting Act (15 U.S.C. 1681c) is amended by adding at the end the following:
(g) Truncation of Credit Card and Debit Card Numbers.--
(1) In general.--Except as otherwise provided in this subsection, no person that accepts credit cards or debit cards for the transaction of business shall print more than the last 5 digits of the card number or the expiration date upon any receipt provided to the cardholder at the point of the sale or transaction.
However, page 6 of the PCI DSS self-assessment questionnaire says nothing about expiration dates, but it does ask, "Are all but the last four digits of the account number masked when displaying cardholder data?"
I guess Congress thinks they know more than the businesses whose livelihoods depend on the security of cardholder data, but anyway, after our patch this week the transaction on Certain's confirmation page will change from
Richard Borry (Visa ******1266 exp. 10/08)
to
Richard Borry (Visa exp. 10/08)
and as a result we will be compliant with FACTA, PCI, CISP, and SDP.
The Bottom Line
Enough with the acronyms and anti-government over-regulation diatribe. What I hope you learn is that:
- Professional web software providers care deeply about the security of your credit card data
- Companies like Certain spend hundreds of thousands of dollars to adhere to the state-of-the-art standards, and to maintain compliance to those standards as they change
- You do *not* want to deal with this yourself
Ask your software vendor about PCI Compliance, ask to see an independent audit report, and think twice when your IT group says "No problem" about building an in-house system that will handle credit card data online.
6 comments:
You write very well.
Gard3nG0d$
If you are PCI compliant, do we need to adhere to FACTA requirements? are FACTA requirements met in PCI-DSS?
Does PCI Compliance adhere to FACTA requirements. Basically, if I am PCI compliant, I don't need to worry about FACTA?
Hi Bryan and thanks for reading -
FACTA is United States Federal Law, thus only entities governed by U.S. law must comply with it.
PCI is a business requirement imposed by credit card issuers and so it applies to anyone who accepts major credit cards online (Visa, Mastercard, American Express, Discover, etc.)
If you are governed both by U.S. law and the credit card companies, then you must adhere to FACTA and potentially must adhere to PCI (depending on your transaction volume). PCI should be the foundation of your Internet payment processing security strategy, but you cannot ignore the laws of countries you do business in.
The only additional requirement that we found in FACTA beyond PCI was related to the amount of credit card information that can be displayed in a payment receipt (or confirmation).
PCI allows the last 4 digits of your credit card number, so this is PCI compliant:
Richard Borry (Visa **0916, exp. 05/10)
FACTA allows 5 digits of the credit card number *or* the expiration date, so these are FACTA compliant:
Richard Borry (Visa 4**0916)
or
Richard Borry (Visa exp. 05/10)
Since we are bound by both FACTA and PCI, we settled upon this in our payment confirmations:
Richard Borry (Visa **0916)
This seems like a very minor detail until a quarter-million dollar client holds up your renewal due to the legal department insisting on full FACTA compliance.
Things like this are why you don't want to build your own system in-house and try to keep up with these issues. Visit us at www.certain.com for more information about our online registration application.
This message is for Rick Borry.
Thanks for your post. Got a question. You said the example of
Richard Borry (Visa 4**0916)was compliant with FACTA. The example appears to show 5 digits...the first and the last 4. It is my understand in must be up to the "last" 5 of the cc#. If your example is correct could you please direct me to your source. Thanks.
Sorry for the confusion Mike.
FACTA indeed only allows the last 5 digits of the credit card number. (The original post was correct, my comment was mistaken.) In our application we display only the last 4 digits, e.g.
Richard Borry (Visa **0916)
because you can infer the first digit of the credit card number from the type (e.g. Visa starts with 4, Mastercard with 5, Amex with 3, etc. - see http://en.wikipedia.org/wiki/Credit_card_numbers)
Post a Comment