Mercury Payment Systems, an integrated payment processing company, based in Durango, Colo., is trying to raise awareness among its merchants about the Payment Card Industry (PCI) Data Security Standard that covers storage and handling of sensitive data for all card brands.
    In late 2005, the company sent letters to its more than 6,000 merchants that urged them to contact their point-of-sale system vendors to get the most recent, PCI-compliant version of software. They follow similar mailings to Mercury’s partners in the transaction processing chain: the developers of software used in POS systems and the resellers who install the systems.
    “It’s part of a broad awareness campaign to inform all of our developer, dealer and merchant partners of the steps they need to take to ensure PCI compliance,” said Marc Katz, President of Mercury. “Mercury is PCI compliant, but unless the merchant is using the most recent version of software for his POS, his system may be storing data that could be targeted for theft.”
    Mercury’s PCI awareness campaign will continue with follow-up mailings, phone calls, brochures, and online training for merchants, dealers, and developers. All PCI-compliance correspondence from the company will be identified with a security awareness logo developed specifically for the campaign.
    “What is important to note,” Katz stressed, “is that when the credit card associations track a data compromise back to a merchant location, that merchant may be held liable for the loss. We have seen fines of more than $100,000 associated with data compromise on a modest number of cards.”
    Mercury began working with the developers of the POS systems into which its processing platform is integrated more than a year ago to help them modify their software to comply with the PCI guidelines.
    “Most POS vendors now have compliant versions,” Katz said. “The most important step merchants can take to protect their businesses from card data loss and potential liability is to work with their POS providers to get a PCI-compliant version of software installed.”
    As a result of mounting criminal activity, the credit card associations – Visa, MasterCard, etc. – developed the PCI set of 12 standards for the secure storage and handling of sensitive payment card data. These guidelines prohibit storage of certain data and require encryption of whatever data is stored.
    “Theft of electronically stored card data is a fairly recent issue,” Katz explained. “The card associations first scrutinized payment processing companies followed by large merchants and E-commerce sites. The attention is now shifting to smaller businesses, like restaurants and small to mid-size retailers. We feel we have a duty to inform our merchants about PCI-compliance since they have the primary liability in the event a card data theft is traced back to their business.”
    “This is a topic that a lot of people have been avoiding – that a large number of merchants have older, non-PCI compliant POS systems that store prohibited data,” said Matthew Turner, the company’s Chief Marketing Officer. The prohibited data included on the magnetic stripes include tracking data that can not only identify the user and can enable a thief to use the information to create new fraudulent cards. The magnetic stripes on the fraudulent cards would mirror those on “real” cards, potentially resulting in untold fraudulent charges.
    “Card associations woke up to this about three years ago,” Turner said. “They first focused on the processors. We’ve been compliant for about three years. Then they focused on the e-commerce merchants. Just now they’re starting to focus on the smaller merchants.”
    Turner points out that improper storage of this data is one of the significant security issues facing merchants today. Some smaller merchants have been using the same POS systems for the last 10 years or longer. Many of those same merchants are so involved with the day-to-day operations of their business that they see POS security as a minor issue, if they recognize it at all.
    Beyond that, many of these merchants are too small to have IT staffs and don’t have the technical savvy themselves to know how to upgrade their systems. In these instances, even if the patches are free, the merchants will see an expense from hiring or contracting for the necessary IT expertise.
    While this expense of a few hundred to a several thousand dollars (depending on the number and type of POS devices), it’s far less than the fines could be, according to Turner. So it’s important for the company as well as ISOs to inform merchants of potential problems.
    Beyond taking the above measures, additional precautions merchants should follow to protect themselves from fines or outright fraud include taking basic steps to ensure computer and network security, according to Turner. PCI guidelines require that Internet connected sites have a firewall protecting them from unsolicited external connections. Remote access passwords should be complex and not shared among sites.
    “But the main thing that can be done is to reduce the amount of sensitive data that is stored and to encrypt whatever is stored. This is the focus of the software upgrades that most POS vendors have completed,” Katz said.