Data Security for You and Your Credit Card Customers

Using credit cards at your facility is both an asset and a liability. It's great to provide the convenience to your customers to pay for purchases by a credit card (and rack up those frequent flyer miles), and it's also great to see the money deposited in your bank account in sometimes as little as 24 hours, but there's a hidden liability you need to know about. It's called data security.

When you signed your merchant agreement with Visa or MasterCard, you agreed to the terms of the agreement. In the small print somewhere it probably said that you also agree to abide by new rules as they may change. That's where data security comes in because with the incredible increase in identity theft cases, you have a role to play in helping to protect your customers!

If you store specific credit card information at your facility, be aware of the added liability you are assuming. Here's a chart that outlines a merchant's responsibility:

  (click to enlarge the picture)

The credit card industry also cites the "PCI Dozen" -- the list of twelve tasks required of any organization that comes in contact with payment card data. Failure to follow through with all of these could cost you a LOT in a settlement:

1. Install and maintain firewalls to protect cardholder data.
2. Don't use vendor-supplied defaults for passwords or other security purposes.
3. Protect stored cardholder data.
4. Encrypt cardholder data that moves across open, public networks.
5. Use and regularly update anti-virus software.
6. Develop and maintain secure systems and applications.
7. Restrict access to cardholder data to only those who absolutely need it.
8. Assign a unique identification to each person with computer access.
9. Restrict physical access to cardholder data.
10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes.
12. Maintain a formal information security policy.

Many POS systems keep sensitive information in their databases and if someone were to break into your facility and make a quick backup of this data, they could be stealing a lot of incredibly valuable information.  Or maybe you keep a listing of member credit card numbers handy and use it for charging their monthly dues, but you forget to lock it up in the safe and leave it on the desk one night and somebody makes a copy of it.  Or perhaps you use a miscellaneous field in the membership module to store the member's credit card number and expiration date.  In any of these scenarios, if the numbers are traced back to you, you could be held financially liable for each one -- up to about $50,000 per card number! You don't need a calculator to know that such a situation could quickly put you out of business.

Check your procedures and check your software to make sure you're safe. While you are safe with Club Office' SQLPos Point of Sale system (which does not store any of the above-mentioned information) if you use any of the Club Office system's miscellaneous fields for storing it instead, you should reconsider doing that. Likewise, if you use a printed or manual list, you should reconsider doing that as well.

To learn more about the new data security standard, visit: www.pcisecuritystandards.org. For your convenience, you can also download the 16-page PDF that highlights the PCI (Payment Card Industry) requirements by clicking on this link:  pci_dss_v1-1.pdf

Credit Cards and Club Office

At the present time, our software includes no functions to store credit card or bank account information. The extreme financial risk of having cardholder data compromised is much too great.

We strongly suggest that users not use any of the data fields in Club Office to store credit card information of any type. None of the fields are labeled nor intended for such information and doing so is outside the suggested usage of our software.

Using Mercury Payment System's Magtek iPad external card swiper is the easiest and fastest way to add a huge level of security to your card processing. The devices costs roughly $220 and is integrated into SQLPos, our POS system or you can use it in a standalone mode in your office if you wish to process member payments via credit card. Contact us for information about this fantastic tool that can increase your card security so simply!