Tuesday, February 13, 2007

PCI, FACTA, CISP, SDP - Just don't lose those credit card numbers!

No online service wants to read about themselves in the news under the headline "ACME Web 2.0 loses 350,000 credit card numbers". So I felt a shiver of fear last week when a client told me that our registration application was not FACTA compliant. My fear soon turned to anger, after spending the past six months pushing through new development to achieve Level 1 PCI Compliance, after we decided to move beyond CISP without having to implement SDP.

Lost yet? Well, it turns out that the politicians and various credit card companies each tackled the problem of credit card security separately.

Payment Card Industry Data Security Standards

PCI stands for Payment Card Industry - an association that reflects the combined interests of VISA, MasterCard, Discover, American Express, and JCB to promote financial data security standards. Prior to publication of the PCI Data Security Standards in September 2006, each card brand managed their own set of requirements. I first implemented VISA's Cardholder Information Security Program (CISP) in 2001, and Certain had maintained compliance with it ever since. We were about to embark on MasterCard's program (Site Data Protection or SDP) when the PCI Standard was announced, which obviously saved a lot of time and money for online vendors who accept multiple credit card types.

We fall into the "Level 2" category for PCI Compliance, for processors with between 150,000 and six million annual transactions. Nevertheless, we plan to grow and want to be as secure as practical, so we opted to achieve Level 1 compliance.

There are six categories of PCI compliance security standards, with 12 broad requirements. I'll cover these details another day, but if you want to read ahead there's always the PCI Compliance Guide.

FACTA and Your Taxpayer Dollars at Work

While the five major credit card brands were solving the problem of data security in a way that made business's lives easier, in 2003 Congress passed the Fair and Accurate Credit Transactions Act (FACTA), an amendment to the Fair Credit Reporting Act (FCRA).

Section 113 of FACTA (don't follow that link!) took effect in December 2006, three years after the amendment was passed into law.

Section 605 of the Fair Credit Reporting Act (15 U.S.C. 1681c) is amended by adding at the end the following:
(g) Truncation of Credit Card and Debit Card Numbers.--
(1) In general.--Except as otherwise provided in this subsection, no person that accepts credit cards or debit cards for the transaction of business shall print more than the last 5 digits of the card number or the expiration date upon any receipt provided to the cardholder at the point of the sale or transaction.

However, page 6 of the PCI DSS self-assessment questionnaire says nothing about expiration dates, but it does ask, "Are all but the last four digits of the account number masked when displaying cardholder data?"

I guess Congress thinks they know more than the businesses whose livelihoods depend on the security of cardholder data, but anyway, after our patch this week the transaction on Certain's confirmation page will change from

Richard Borry (Visa ******1266 exp. 10/08)


Richard Borry (Visa exp. 10/08)

and as a result we will be compliant with FACTA, PCI, CISP, and SDP.

The Bottom Line

Enough with the acronyms and anti-government over-regulation diatribe. What I hope you learn is that:
  1. Professional web software providers care deeply about the security of your credit card data
  2. Companies like Certain spend hundreds of thousands of dollars to adhere to the state-of-the-art standards, and to maintain compliance to those standards as they change
  3. You do *not* want to deal with this yourself

Ask your software vendor about PCI Compliance, ask to see an independent audit report, and think twice when your IT group says "No problem" about building an in-house system that will handle credit card data online.


Anonymous said...

You write very well.

Bryan said...

If you are PCI compliant, do we need to adhere to FACTA requirements? are FACTA requirements met in PCI-DSS?

Bryan said...

Does PCI Compliance adhere to FACTA requirements. Basically, if I am PCI compliant, I don't need to worry about FACTA?

Rick Borry said...

Hi Bryan and thanks for reading -

FACTA is United States Federal Law, thus only entities governed by U.S. law must comply with it.

PCI is a business requirement imposed by credit card issuers and so it applies to anyone who accepts major credit cards online (Visa, Mastercard, American Express, Discover, etc.)

If you are governed both by U.S. law and the credit card companies, then you must adhere to FACTA and potentially must adhere to PCI (depending on your transaction volume). PCI should be the foundation of your Internet payment processing security strategy, but you cannot ignore the laws of countries you do business in.

The only additional requirement that we found in FACTA beyond PCI was related to the amount of credit card information that can be displayed in a payment receipt (or confirmation).

PCI allows the last 4 digits of your credit card number, so this is PCI compliant:

Richard Borry (Visa **0916, exp. 05/10)

FACTA allows 5 digits of the credit card number *or* the expiration date, so these are FACTA compliant:

Richard Borry (Visa 4**0916)
Richard Borry (Visa exp. 05/10)

Since we are bound by both FACTA and PCI, we settled upon this in our payment confirmations:

Richard Borry (Visa **0916)

This seems like a very minor detail until a quarter-million dollar client holds up your renewal due to the legal department insisting on full FACTA compliance.

Things like this are why you don't want to build your own system in-house and try to keep up with these issues. Visit us at www.certain.com for more information about our online registration application.

Mike said...

This message is for Rick Borry.

Thanks for your post. Got a question. You said the example of
Richard Borry (Visa 4**0916)was compliant with FACTA. The example appears to show 5 digits...the first and the last 4. It is my understand in must be up to the "last" 5 of the cc#. If your example is correct could you please direct me to your source. Thanks.

Rick Borry said...

Sorry for the confusion Mike.

FACTA indeed only allows the last 5 digits of the credit card number. (The original post was correct, my comment was mistaken.) In our application we display only the last 4 digits, e.g.

Richard Borry (Visa **0916)

because you can infer the first digit of the credit card number from the type (e.g. Visa starts with 4, Mastercard with 5, Amex with 3, etc. - see http://en.wikipedia.org/wiki/Credit_card_numbers)