Credit Card Purchasers and Collectors Face PCI Security Standard

Segments of the debt purchasing industry that work credit card accounts could soon be investing in a computer security upgrade to meet standards established by the major card brands.

Card issuers and merchants have been grappling for several years to meet Payment Card Industry Data Security Standards, known as PCI, a set of security rules designed to ensure cardholder data is safe from computer hackers and other crooks.

Stories of lost and stolen consumer data have made headlines the last few years with the affected issuers and merchants scrambling to make their customers whole. A hack of a debt purchaser could be a disaster, according to one computer security expert.

“If a debt buyer were attacked, I don’t think there would be a lot of mercy,” said Dave Mertz, co-CEO with Compliance Security Partners in Kansas City, Mo. The company would be hit with federal and state penalties, be required to reimburse affected cardholders for any losses and provide them with annual credit check services, and the potential for lawsuits is enormous, said Mertz.

In 2002, the average cost for a firm hit with a security breach was $6 million, he said. Making matters worse, “the hacker doesn’t make front page news, it’s you the company,” said Mertz.

The PCI standards were originally created by Visa USA. It has since been joined by all the major card brands – American Express Co., Discover Financial Services, JCB International, and MasterCard Inc. – to form the PCI Security Standards Council to manage the effort.

The standards are designed as comprehensive, multifaceted “requirements for security management, policies, procedures, network architecture, software design, and other critical protective measures” to ensure customer payment account data is secure, according to the Council.

“The PCI standards grew from the Gramm-Leach-Bliley federal rules implemented several years ago addressing the protection of consumer data,” said Dennis Hammond, president of the Debt Marketplace in Santa Fe Springs, Calif.  As GLB applied to vendors like third party collectors, so do PCI requirements, said Hammond.

The card industry has primarily focused on getting its issuers and merchants prepared and collectors have been largely forgotten. But that may be changing with seminars on security standards and PCI at the recent ACA International Conference & Expo in Chicago last month.

The PCI Security Standards Council counts as members more than 270 firms from around the globe, including credit card issuers, merchants, card processors, and computer hardware and software developers, according to a spokesperson.