Wednesday, August 20, 2014
Security of Credit Card Transactions

SC-ISAC LogoReprinted from the April 2009 "Cyber Security Tips Newsletter," with permission from James MacDougall, Chief Security Officer

The use of credit cards to pay for goods and services is a common practice around the world that enables business to be transacted in a convenient and cost effective manner. However, more than 100 million personally-identifiable, customer records have been breached in the United States over the past two years. Many of these breaches involved credit card information. Continued use of credit cards requires confidence by consumers that their transaction and credit card information are secure. The following provides information as to how the credit card industry has responded to security issues and steps you can take to protect your information.

Who Regulates the Security of Credit Card Transactions?

The Payment Card Industry (PCI) Security Standards Council developed standards and policies that must be met by all vendors which accept credit card transactions. The Council's members include American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa International. The Council created an industry-wide, global framework that details how companies handle credit card data – specifically, banks, merchants and payment processors. The result was the PCI Data Security Standard (DSS), a set of best practice requirements for protecting credit card data throughout the information lifecycle.

The PCI compliance security standards outline technical and operational requirements created to help organizations prevent credit card fraud, hacking and various other security vulnerabilities and threats.

The requirements are applicable if a credit card number is stored, processed or transmitted. The major credit card companies require compliance with DSS rules via contracts with merchants and their vendors that accept and process credit cards. Banks, merchants and payment processors must approach DSS compliance as an ongoing effort in which compliance must be validated annually, and companies must be prepared to address new aspects of the standard as it evolves based on emerging technologies and threats.

How is my Credit Card Information Protected?

The PCI standards detail what protective measures are required regarding the string and transmission of credit card information. For electronic Point of Sale (POS) transactions, the information is encrypted and transmitted directly to the credit card processor. For an online transaction, the merchant is required to have a secure server and an encrypted connection to the customer. Access to credit card information is restricted based on a business need-to-know. The standards include guidelines for developing and maintaining secure systems and applications. Recent focus includes heightened security requirements for wireless networks due to the jump in the use of wireless POS terminals.

What if a Merchant Does Not Follow the Standards?

If a member, merchant or service provider does not comply with the security requirements or fails to rectify a security issue, they may face fines up to $500,000 per incident or restrictions imposed by the credit card companies, including denying their ability to accept or process credit card transactions.

What Can I Do to Secure My Credit Card Information?

You can help secure your credit card information by adhering to the following guidelines:

  • Don't respond to e-mail or pop-up messages. If you get an e-mail or pop-up message while you're browsing, don't reply or click on the link in the message or any attachments, especially if personal or financial information is requested. Legitimate organizations don't ask for this information in these ways.
  • Guard the security of your transaction. When purchasing online, look for the "lock" icon on the browser's status bar and be sure "https" or "s-http" appears in the Web site's address bar. The "s" stands for "secure."
  • Use temporary account authorizations when available. Some credit card companies offer virtual or temporary credit card authorization numbers. This kind of service gives you use of a secure and unique account number for each online transaction. These numbers are often issued for a short period of time and cannot be used after that period. Contact your credit card company to see if they offer this service.
  • Limit your online shopping to merchants you know and trust. If you have questions about a merchant, verify it with the Better Business Bureau or the Federal Trade Commission.

The information provided in the monthly Security Tips Newsletter is intended to increase the security awareness of an organization's end users and to help them behave in a more secure manner within their work environment. While some of the tips may relate to maintaining a home computer, the increased awareness is intended to help improve the organization's overall cyber security posture.


[PRINTER FRIENDLY VERSION]
In this Issue
State IT Employees Help Fight Coastal Fires
Seastrunk Retires From U.S. Army Reserve
MacDougall Featured in State Tech Magazine
Security of Credit Card Transactions
Social Networking Sites – How Safe Are You?
Bright Ideas: Helping Control State Costs
Surviving Workplace Stress
Oh No, Not Another Meeting!
Hurricane Season is Almost Here... Are You Ready?
Access SC.Gov

Access the official Web site of the State of South Carolina, SC.gov

Access State IT

Access State IT by visiting www.cio.sc.gov

Send Us Your Comments

Send us your comments by e-mailing mwshelton@cio.sc.gov

Subscribe

Enter your email address in the box below to receive an email each time we post a new issue of our newsletter:


Add Remove
Send as HTML
 

Published by Division of State Information Technology
Copyright © 2009 S.C. Budget and Control Board. All rights reserved.
TELL A FRIEND
Powered by IMN