|
Credit Card Storage Safety Net.
So have you heard the term ‘Referential Credit Card Processing’ or RCCP?
It is a mostly unknown process that some credit card processing centers use
to remove the liability of storing credit card data. Here’s how it works…
Consider the new customer that charges his purchase to his VISA card, and wants
to use that card for a monthly payment. Historically [or typically] we’d get
an authorization from the customer and then store his card data in a myriad of
security and encryption mazes designed to thwart every 9 year old hacker from
gaining access. Then when the monthly batch process came, we’d look up the
credit card information and submit the authorization request. Pretty typical.
Customers and end users like that kind of convenience, but don’t think much
about losing their credit card data until after it happens. How about we
[as an American business] take a stand against the bad guys and come up
with a better way to do this that will ultimately protect our business
and our customers.
Take a second to recall the last security breach you heard about on
the news – “250,000 credit cards numbers stolen or leaked”. Now what
impact would that have on your business? What liability does storing
that card data inherently include? How does that swing the balance of
power in this new economy? Interestingly enough, most of these breaches
target the weakest link…. And avoid the shiny new firewall and intrusion
detection systems.
Until recently, there weren’t too many alternatives to storing the data.
Regulating bodies like PCI (Payment Card Industry) have a lot to do with
the required infrastructure to support the storage of this sensitive data
(and for good reason). Experience shows that even the difference in
regulations year to year are exponential in the demand they place on
your technology budget and personnel so a new environment is needed to
virtually eliminate that liability.
Enter RCCP. This methodology is pretty simple and very effective. When
fully implemented, you will realize a 100% loss of credit card data onsite.
That sounded like a negative thing, but this is one ‘loss’ you want.
Here’s how it goes:
1. Customer charges with his credit card
2. You transmit the number and a uniqueID to your merchant services group
3. You store the UniqueID and maybe the last four digits of the card
4. Recurring charges reference the uniqueID and change the amount to be charged.
Now, next month when you are ready to charge his credit card in some cool
batch process built into your billing software, you send the original
referenceID and the new amount –NO CREDIT CARD INFORMATION IS SENT. You
don’t send it… you don’t store it! In most cases there is a length
of time the referenceID will stay alive, but when you’re doing a
monthly recurring billing, you shouldn’t bump up against it.
Back to PCI for a second. Personal experience resulted in a reduction in spending
and effort to 10% of the original cost; 100 pages of compliance questionnaires to
10 pages. So yeah… your security gear looks cool. Flashing lights and all that
would make any normal technician stand at attention but lets get real. How about
we eliminate the golden egg all together so a modern day Passover happens and we
keep our sanity, jobs and restful nights.
Put the hacker out of business… and keep America in it!
Dan Ribar
dribar@1stguard.com
1st Guard Corporation
http://www.1stguard.com
|
|
|
|