Even though the PCI DSS requirements have been in place since 2009, there seems to be a lot of confusion out there still. Most of the discussion so far on this blog concerns the professional criminals that use computers and software to steal information and exploit it. But there is another, more insidious predator out there that is exploiting the misinformation and general ignorance of the PCI DSS and what it means to merchants who process credit cards in this stressful time of heightened cyber security. An early forerunner to the formal creation of the PCI DSS requirements was the industry-wide mandate that electronically printed receipts must be truncated, or show only the last four numbers of the credit card account number. New security requirements are always announced long before a scheduled “drop dead” date to provide a window for processing services to implement the new security protocols. Time is required for service providers to notify all of their customers (easily numbering in the tens or hundreds of thousands) and to update and distribute new software or equipment as needed.
Unscrupulous credit card processing services soon learned to use this requirement as a sales tactic. The sales agent walks into your business, politely determines if your equipment has been updated yet, and if not, informs you that your receipts are illegal and you are violating Card Association regulations. The sales rep fails to mention that the truncation requirement date varied from state to state and printing the whole card number wasn’t really a violation for another year or more. But he or she is counting on your lack of knowledge to dupe you into switching to new service with new equipment and, more often than not, higher rates and fees coupled with a reduction of services and support. Since the sales person’s ruse is predicated on a lie with the threat of a penalty for printing “illegal” receipts, it’s not hard to see why the tactic works.
The preceding scenario begs the question: is this type of activity, surreptitiously weaving a story of half-truths mixed with fact to coerce a sale, against the law? The answer is, while certainly unethical and bordering on fraudulent, not really. Specific legislation to prevent such practices is sparse to non-existent. On top of that, the conversations between sales person and business owner are usually not recorded and therefore difficult to legally prove as anything beyond hearsay.
A similar trend is on the rise due to the confusion over PCI compliance. The question of who needs to be PCI compliant and how to achieve PCI compliance has created an environment ripe for abuse by immoral processing services. Be aware and get more information on PCI DSS on this site. More on this subject next week.