If you are a governmnet agency, it may be legitimate to ignore the rules.

Recently it was learned that people who pay for driver's licenses on-line via credit card to state of Indiana DMV got breached because the state government could not bother to adhere to the PCI standard. The state probably has the clout to force credit card industry to look the other way with them. There are tons of stories of similar breaches other states, and federal government agencies.

But for everyone else, you break the rules, then down the line you can face millions of dollars in FTC fines, tons of law suits, withdrawal of credit card industry support which can be so important to some enterprises that this ultimately leads to bankrupsy, such as with Card Systems.

Some have tried to use the excuse that they installed software in total ignorance of what it was doing. That works for PR spin to some consumers, but does not protect them from law suits, fines, and could undermine future consumer confidence.

For more on this topic in general, check out discussion group
Dataloss http://attrition.org/dataloss
Archives <http://attrition.org/pipermail/dataloss>

Al Macintyre

By accepting credit cards (Visa at a minimum but pretty much everyone
else is on board) your customers have probably agreed to adhere to the
Payment Card Industry Data Security Standard.
https://www.pcisecuritystandards.org/ has a link to the standard itself.


I haven't read it through but my understanding is that the ramifications
for violating PCI can include heavy fines and loss of ability to accept
credit cards.  I'd urge following whatever guidelines it provides.

--
John A. Jones, CISSP
Americas Information Security Officer
Jones Lang LaSalle, Inc.
V: +1-630-455-2787 F: +1-312-601-1782
john.jones@xxxxxxxxxx

-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx
[mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Jim Franz
Sent: Friday, March 30, 2007 1:18 PM
To: MIDRANGE-L@xxxxxxxxxxxx
Subject: data retention and encryption ala tjmaxx

With the TJ Max debacle playing out in the media, I need to make a
recommendation to several customers who handle credit card trans.
Is there a short & concise list of standard practices as to when to keep
customer data versus when not to...
I have searched the web and find that everyone seems to have a different
opinion, and much of it sounds like "talking heads..".
Perhaps an industry association recommendation, or something from the
card processors that I can get to (that is not a 800 page manual).
In one case, iSeries custom software for private (non-standard) cards in
addition to major labels. Another has pc based swipe machine and settle
software, but then keys the tran onto the iSeries (and I need to
recommend for both iSeries and pc).
None of these customers fit a "traditional" retailer model.
Jim Franz

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a
moment to review the archives at http://archive.midrange.com/midrange-l.


This email is for the use of the intended recipient(s) only. If you have received this email in error, please notify the sender immediately and then delete it. If you are not the intended recipient, you must not keep, use, disclose, copy or distribute this email without the author's prior permission. We have taken precautions to minimize the risk of transmitting software viruses, but we advise you to carry out your own virus checks on any attachment to this message. We cannot accept liability for any loss or damage caused by software viruses. The information contained in this communication may be confidential and may be subject to the attorney-client privilege. If you are the intended recipient and you do not wish to receive similar electronic messages from us in the future then please respond to the sender to this effect.

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.



As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.