As processors of a low volume of small transactions, libraries are unlikely to count credit and debit card processing issues among their most pressing concerns. Yet many libraries may be unaware of their state of compliance with the Payment Card Industry Data Security Standard (PCI DSS). Enforced by the credit card industry, the standard helps ensure that payment data is protected from theft and fraud.
“Your card processor can be fully compliant, your payment application developer can be fully compliant, but [a vendor] could give their product to a library and they could implement it in a way that was non-compliant,” said Dan Curtin, president of Comprise Technologies. Comprise offers PCI-compliant kiosks and revenue management solutions under the Smartpay brand, and Curtin has been working to raise awareness of PCI compliance within the field.
PCI DSS is not new. The standards were created in 2004, when Visa, MasterCard, American Express, Discover, and the Japan Credit Bureau agreed on a set of best practices and merged their security policies. Banks and processors began complying between 2005 and 2006. Following that, the credit card companies began working with payment application developers, service providers, and major retailers through 2010, according to Curtin. Credit card companies have since turned their focus to smaller merchants.
Although the standard has attracted plenty of criticism, with many retailers and restaurants complaining that it’s just another arbitrary way for credit card providers to extract fees and fines, PCI DSS does set a reasonable floor for minimum data security. For low-volume merchants such as libraries, the requirements include using PCI approved PIN entry devices and validated payment software at the point of sale (POS), and installing a network firewall and password-protected wireless routers with encryption. The standard also prohibits small merchants from intentionally or unintentionally storing sensitive cardholder data on local computers or on paper.
Libraries, of course, are an unlikely target for criminals searching for a trove of credit card data. And they aren’t likely to draw much attention, collectively, from the credit card industry, noted Peter Campbell, currently the Chief Information Officer for the Legal Services Corporation, an independent nonprofit that provides grants to legal aid programs throughout the U.S. Campbell was IT director for Goodwill Industries when the charity proactively became PCI compliant in 2006.
“The compliance demand really depended on the amount of revenue you were generating via credit cards—the amount of transactions,” he told LJ.
However, there’s always a risk that lax data security can lead to breaches.
“I think the risk is definitely higher in cash-strapped organizations like non-profits and libraries that don’t have the state-of-the-art security, or can’t afford to keep security experts on hand, and who might even be using really bad practices like taking credit card numbers over the phone and writing them down by hand,” he said.
Certainly no one wants patron data to be at risk, and even one case of fraud traced back to a library could have serious consequences.
“If there is a fraudulent event, and you’re non-compliant, then [the card companies] have the option to come down on you like a ton of bricks,” Curtin said. “Not only do you have to repay the money that was fraudulently withdrawn or fraudulently charged, there are penalties and fines on top of that, and from this point forward, they charge a [per-transaction] premium on future charges.”
Campbell points out one low-cost solution to the issue.
“My standard recommendation always was, if you’re a small nonprofit that’s selling merchandise or taking donations online, go through a third party,” Campbell said. “Go through Network for Good or PayPal or whatever appropriate provider you can who will…take the credit card information for you, credit your account, and your organization never sees the [credit card] number. It could work for late fees, it could work for anything. It’s basically outsourcing the transaction.”
About Matt Enis
Matt, great points, and it’s why libraries as a QSA, I can tell you that the two most challenging aspects of PCI compliance for libraries are (1). Determining which of the Self-Assessment Questionnaires (SAQ) to use (they seem to keep adding more!) and (2) developing all the mandated information security and operational policies and procedures for PCI compliance. With the introduction of SAQ A-EP, the laundry list of SAQ documents keeps getting longer and complex. Additionally, if you look at the actual PCI standards, there’s literally dozens of mandated policies and procedures that must be in place for both merchants and service providers. Luckily, you can find free and cost-effective templates online for download. And don’t forget that security awareness training is also mandated, which is highly essential for not just compliance with PCI, but from an information security best practices perspective.