Collection Agencies, Debt Buyers are PCI Security Hot Spots

Collection agencies, debt buyers and call center firms are among the next group of service providers that need further guidance to become complaint with payment card PCI security standards, according to a new TowerGroup report.

The report from Senior Analyst Brian Riley notes that compliance with PCI security standards is strong among large and mid-size merchants but that the six other industry segments constitute “Security Hot Spots” and need attention.

The six industries are strongly integrated with the payment card industry, and include collection agencies, debt buyers, call center service firms, reward fulfillment companies, direct marketing vendors, and print and digital media companies.

Riley notes that collection agencies often having access to full cardholder account information, and that debt buyers acquire blocks of delinquent accounts. Debt buyers “might not have access to live transaction data, but they can provide information that, if revealed, could have other adverse effects on cardholders,” according to Riley. Call centers provide customer acquisition and service though digital or human interaction.
 
There are a number of safeguards these six industry verticals can take until PCI security standards are better defined. Three core principals include instituting strong access controls, conducting vulnerability management, and ensuring the protection of stored cardholder data.
 
The major payment card networks joined in 2006 to create the Payment Card Industry Data Security Standards, typically called PCI, according to the report, “Extending Influence of Data Security into the Card Ecosystem: The Next Trend in PCI Compliance.”
 
The group, including American Express, Discover, Japan’s JCB, MasterCard, and Visa, created a standards council to oversee the implementation of PCI. The council’s initial focus has been on ensuring that card-accepting merchants reach and maintain PCI standards, writes Riley.

Level 1 merchants, defined as those conducting more than 6 million card transactions annually, achieved a PCI compliance rate of nearly 80 percent in 2007, TowerGroup reports. Level 2 merchants, conducting 150,000 to 6 million card transactions a year, had a compliance level of 65 percent last year. Riley reports that the PCI council plans to turn its attention to improving the compliance rate among Level 3 and Level 4 merchants.

The PCI council could address the six hot spots after more merchants pass certain security milestones.