January 7, 2011

Executive Insight: Credit Card Security

As a merchant advocate, Shift4 strives to make you aware of your obligation to protect the cardholder information in your possession (card swipes, primary account numbers and associated expiration dates, etc.). This information can be of a physical nature or of an electronic nature within your Point-of-Sale (POS) or back-office accounting systems.
The actual responsibility to inform you of and assist you with your cardholder data security obligations lies with your Merchant Bank or Merchant Services Provider (MSP). Because you pay the most to your MSP for payment processing, and because they are the intermediary organization between you and the card associations, your MSP should be the one helping you to secure cardholder data. Unfortunately, they are bankers and generally they don’t have the security and technical expertise necessary to provide you with the help you need. In addition, many MSPs are promoting a new rate structure with the card associations where the discount rate goes up if the merchant can’t demonstrate that they can secure cardholder data. Generally, if the discount rate goes up, the MSP makes more money. So why then would they want to help you secure your cardholder data? What’s their incentive?

Some MSPs will provide you with security systems at an extra cost (including hardware-based end-to-end encryption or weak tokenization solutions). While such solutions may give you some level of protection, they are essentially a Trojan Horse. Once you start using them, you are tied to the MSP either with proprietary equipment or with tokens that are only usable with that specific MSP. It seems that whenever you are tied to the technology provided by the MSP, the “low” discount rate you think you negotiated goes up and up (rate creep) and there is very little you can do about it because the MSP holds all the cards (pun intended).

If your MSP doesn’t supply you security technology and doesn’t supply you security expertise, they will generally point you in the direction of a Qualified Security Assessor (QSA). MSPs are interested in maximizing their income, so they are happy to have you pay a third party to do what they should have done in the first place. (In our next newsletter we will discuss with you some of the perils and pitfalls to avoid when dealing with QSAs.)

I am extremely proud to say that Shift4 supplies the strongest suite of cardholder security technologies available anywhere — and we provide it at no additional cost to our clients. With our technologies you will never be tied to a specific MSP or Merchant Bank. You have the option to easily change MSPs and thus avoid the rate creep that comes with MSP-specific solutions.

Watch this space in future issues for an in-depth discussion of security-related matters and how Shift4 “has your back” when it comes to cardholder data security.

Dave Oder
Shift4 Founder & CEO