Researcher Sees Issuers’ Service Providers as PCI ‘Hot Spots’

Six specialty types of vendors, processors, and other service providers that card issuers use lack specific guidelines on how to protect cardholder data under the Payment Card Industry data-security standard, or PCI, according to a recent report from research firm TowerGroup Inc. These service providers thus represent “hot spots” that may need further attention as PCI evolves to address ongoing security risks, according to Brian Riley, research director of Needham, Mass.-based TowerGroup's bank cards group. The report's conclusions cast the spotlight on the issuing side of the card business with respect to PCI compliance and the potential for data breaches. Up to now, most of the industry's attention has been focused on the acquiring side, and particularly on merchants' ability to keep card data safe. As with every entity that comes in contact with credit and debit card data, the specialists do have responsibilities under the PCI rules adopted by the five major U.S. general-purpose card networks in 2006. But the responsibilities only go so far as telling the providers they must be “protecting cardmember data,” Riley says in the April report entitled “Extending Influence of Data Security into the Card Ecosystem: The Next Trend in PCI Compliance.” Even though PCI's requirements are extensive, the specialty vendors could be candidates for specific rules tailored to their functions, the report suggests. The PCI Security Standards Council, which administers the PCI rules, recently came out with specific standards for payment-processing software and PIN-entry devices. The specialty vendors that continue to represent security risks, according to Tower Group, include: –Print and digital media companies that produce plastic cards, send card verification letters, produce other mailings, and prepare statements. Big processors well versed in PCI such as First Data Corp., Total System Services Inc. (TSYS), and Metavante Corp. do such functions, but so do a number of independent providers?and their jobs expose them to live account information. –Direct marketers. Hired by issuers to solicit new cardholders, these vendors do not have live account numbers but they could hold “tens of millions” of records with customer information, the report says. –Rewards-fulfillment companies. These businesses provide customer service and back-office servicing on behalf of issuers. They deserve attention because 60% of all card transactions originate from accounts with rewards features, according to TowerGroup. –Call-center services firms. Such companies handle various customer-service functions such as verifying receipt of a new card or fielding cardholder questions, either through digital or human interaction. –Third-party collections agencies. This group includes nearly 10,000 U.S. small businesses and often has access to full information about active and closed accounts. Issuers place more than 10 million accounts with outside collectors annually, TowerGroup says. –Debt buyers. These firms buy blocks of delinquent accounts. They may not have access to transaction data, but they do have consumer information that if revealed to unauthorized parties could have negative consequences for cardholders. Riley tells Digital Transaction News that the despite the criticisms of PCI, “there has been some terrific progress” in getting merchants, especially large ones, to enhance card security. Now the card networks, which enforce PCI, are turning their attention to smaller merchants, he says. Beyond those, the service providers issuers use represent a group that hasn't received much attention in the often-heated discussions about protecting card data. TowerGroup is an editorially independent unit of MasterCard Inc.