Monday, November 26, 2012

Confidential Information Found in Macy's Parade Confetti?

There is a reason why PCI DSS Requirement 9.10 requires that merchants and service providers use a crosscut shredder to destroy paper records with confidential information.  The reason is that simple ribbon-type shredders don't really destroy the information.  Depending on how the paper goes into a ribbon shredder, whole lines of information can be readable.

If press reports are accurate, the organizers of the Macy's Thanksgiving Day Parade together with the Nassau County Police are living proof that ribbon shredders are not very valuable.  Based on news reports, the police are investigating claims by attendees at the Thanksgiving Day Parade that the confetti  that poured from the sky contained Social Security Numbers, bank account numbers, and police records that were clearly readable.

One important lesson for any organization with confidential financial, medical, or personal information is that shredding means crosscut shredding.

A second, possibly equally important lesson is that if you use a shredding service for your PCI documents (or HIPAA or whatever), you better know what they do with the chad after they shred the documents.  Do they sell it for pulp?  Do they recycle it?  Do they sell it to parade organizers or party planners for confetti?

The reason this second lesson is important is that the shredding service is a PCI Service Provider, and 12.8.2 says you need to have an agreement that they acknowledge their responsibility for the cardholder data (the paper) they possess.  That means you might want to know what happens to your confidential documents once they leave your premises.

Maybe we need to add this "Macy's Rule" to PCI?

Thursday, November 8, 2012

2013 PCI DSS Workshop - Call for Topics and Presenters

The Treasury Institute's tenth (!) PCI DSS workshop will be May 13-15 in Indianapolis.  Click here to go to the website to register and for hotel information.

This is also the start of my call for speakers and topics.  What do you want to see covered this year?  Is mobile still hot?  What about cloud and ecommerce implementations?  How good are your policies?  What do you do for remote events (e.g., athletics, golf tournaments, etc?).  Are you ready for EMV chip cards?  What is the latest from the card brands (e.g., see here)?

This year, in response to your comments from past workshops, we expect to have separate IT and Business tracks for one half-day (probably Tuesday afternoon).  That means the Institute (and I, as organizer) want to hear from presenters about IT-specific (be as geeky as you want) and Business -specific (be as practical as you want) subjects.  If we get some good ideas and speakers, we'll go with the separate tracks on Tuesday pm.

Speakers get special treatment to thank them for their time.  The Institute will pay for speakers' hotel, and they attend the workshop for free.  If you propose a joint presentation, only one speaker will get the hotel and comped conference fee.  About all you have to do is get yourself to Indy (especially since two breakfasts and lunches are included).   Speakers also get the opportunity to sharpen their presentation skills in an open and supportive atmosphere with a group of their peers.

Please contact me directly (wconway@403labs.com) to propose a presentation.  I look forward to being flooded with suggestions.

It is now up to you!  Please feel free to re-post this announcement to appropriate listserves and bulletin boards.

Tuesday, November 6, 2012

Visa Extends Service Fee Program to Higher Education

Effective November 6, Visa has expanded their program allowing government agencies to add a service fee Visa card payments to include Higher Education.  This is potentially big news for every school that accepts or wants to accept payment cards for payment of tuition and fees.  Visa's statement reads in part:
To regain acceptance and increase competitiveness in the Government and Higher Education segments, effective 6 November 2012, Visa is expanding the Tax Payment Program and renaming it the Government and Higher Education Payment Program. The expanded program will include government merchants (Merchant Category Code [MCC] 9311—Tax; MCC 9222—Fines; MCC 9211—Court Costs; and MCC 9399—Miscellaneous Government Services) and tuition and related payments for higher education (MCC 8220—College Tuition; MCC 8244—Business; and MCC 8249—Trade Schools). 
Visa currently does not permit variable fees on any type of U.S. payment transaction, other than on tax payment transactions. By expanding the Tax Payment Program, Visa seeks to regain lost Visa acceptance among higher education and government merchants.
Here are some of the details:

  • This is not a new program.  Rather, it expands the current program allowing surcharges for government agencies to additional merchant category codes that include Higher Education.
  • The program includes card-present as well as card-not-present transactions
  • The program includes credit and debit cards
If your school wants to participate, you have to do a couple of things:
  • First, your institution has to register with your acquirer.  You should contact your acquirer to get the Government and Higher Education Payment Program Guide, which has the form you need to file to register for the program. This guide also has all the program details.  Note there is no fee for the registration, but your institution has to do it.  
  • While you are talking with your acquirer, make sure they have assigned you the right Merchant Category Code (MCC).  This program only applies to transactions in MCCs 8220 (College Tuition), 8244 (Business schools), and 8249 (Trade schools).  This is important, and you may need to hold your account rep's hand through this process.  In my experience, schools may be classified into MCC 8299 (Miscellaneous education).  If that is you, then you need to get your MCC changed or you will not benefit from the program.
The payment and service fee transactions must be submitted and processed as two separate transactions as noted below:
  • The transaction must include: 
    • The higher education institution (merchant) name in the Merchant Name field (merchant name cannot exceed 25 characters in length) 
    • Customer support phone number in the Merchant City field 
    • State of the merchant in the Merchant State field 
  • The service fee transaction must include: 
    • Merchant or service provider name in the first 3,7, or 12 positions followed by an asterisk (*) in the next position, followed by the words “Service Fee 
    • Customer support phone number in the Merchant City field 
    • State of the service provider in the Merchant State field.
There are some other conditions described in the Program Guide, but they are not out of the ordinary.

All of this means that those institutions that had not accepted Visa in the past because of the service fee prohibition are free to add that card brand.  All you need to do is register with your acquirer.  

This is potentially big news for many institutions.  Spread the word.  Please feel free to post links to this post to listserves and bulletin boards as you wish.