The march to a near cashless society advances. If your organization is like most, you're accepting credit cards right and left, and at the same time scrambling to comply with PCI data standards. Even when your organization is certified as PCI compliant, you still work hard every day to maintain your status since systems constantly change.
Have you found all the nooks and crannies where credit cards are used and stored in your organization? We thought we were done. We were “all over” the credit card payments our customers send. Our customers come to our website or via phone to pay for insurance. We felt so strongly about PCI compliance, that we outsourced all the processing to a worthy PCI compliant partner, Metavante. Whew!
Well, it turned out we hadn't really turned over all processing to Metavante. We started finding the other two percent of credit card transactions our company processed were not so well understood or described. Consequently, that other two percent was not so protected. We even found some processing we weren't even aware of.
Our search found processing done by business partners that could be attributed to us. These transactions were handled by the vendor on their site, but the processing was for our logo merchandise. The vendor's customers are our company's employees and clients. If there was a breach of the vendor's site and data, we felt we would be brought in to share the blame.
Let's consider more examples of credit card processing in the nooks and crannies of our organization.
In the case of logo merchandise, the vendor had our permission to use our company trademark on their site. It was the vendor's business and their processing, but we have a stake because some of the customers were our customers and employees.
Another example: the vendor at our company cafeteria decided to start taking credit cards. Good decision. But, the security department didn't get wind of the new situation until the last minute. Our company's telecom people are nice and helpful. They were going to facilitate a feed from the vendor's cash register credit card readers – over our lines – and out to the internet to the vendor's site. Uh-oh. The telecom people didn't know about PCI, and it didn't occur to them to encrypt the transmission. Luckily we started asking about the cafeteria vendor's PCI compliance. Again, running the cafeteria wasn't our company's business, but its customers were our employees and they expect us to protect them.
Our recommendation: conduct regular searches to find all the nooks and crannies where little pockets of credit card processing pop up.
Nancy Edwards advises companies to look at the not so obvious credit card transactions. United Way and other causes are worthy, she says. Does your company facilitate employee contributions via credit card?
If your people contribute to a PAC via credit card, they're more likely to contribute. Does your government relations officer have paper files, Word docs and spreadsheets – with credit card numbers of contributors, she asks.
Credit card returns
When a transaction needed to be reversed, says Edwards, notices were coming from the bank processor on paper with the customer's complete credit card number, name and address in plain text. That practice was stopped.
What's not to like?
Paying by credit card is easier, faster and it gets you perks. There's everything to like about credit card processing – as long as it's safe. That's our job in the security department – enable everything, the safe way, she says.