rotecting personal information is definitely one of the "hot" topics of 2005. Organizations from the card Associations, banks, processors, ISOs and agents to the local flower shop are working to avoid getting into trouble over the collection, storage or dissemination of nonpublic personal information.

Following are a few basic principles to help reduce possible sources of liability for problems associated with cardholder information.

Don't Touch It

Regardless of your place in the merchant acquiring industry, try to avoid touching cardholder information. The more you come into contact with it, the more you will attract obligations in terms of collecting, storing and disclosing it.

Examine your business processes and determine if any unnecessary collection of this information, or other nonpublic personal information, such as Social Security numbers, is occurring. If so, stop it.

Get Rid of It Quickly

If you absolutely must come into contact with cardholder information, examine the reasons why and develop a process by which to hold the data for the least amount of time necessary. The longer you hold the data, more rules will apply to you. You also create more opportunities for a security breach to occur. Treat cardholder information like a hot potato, and get it out of your hands as quickly as possible.

Encrypt It

If you really need to store cardholder information, don't store it in a Microsoft Excel spreadsheet, on a CD on the passenger seat of your car. Keep it in a secure computing environment, well-protected from both physical and technological breaches. Consider keeping the data encrypted with a digital key. If your laptop with 10,000 cardholder account numbers ends up in a dumpster, it should be nearly impossible for whoever finds it to access any data stored on the hard drive.

Limit Who Has Access to It

Your organization should handle all cardholder and all other nonpublic personal information on a need-to-know basis. The janitor does not need to know Visa account numbers.

Take time to consider which people in the organization have access to nonpublic personal information, such as cardholder data, Social Security numbers and other personal financial information. Upon identifying them, try to narrow down the list.

Do Not Disclose It

Most people in our industry know there is demand for cardholder information. I have been told that you can buy illegally obtained cardholder information for as little as $1 per card. Make sure that your organization does not become a source for this illegal trade.

Reflect on every instance or opportunity through which nonpublic personal information leaves your business. Consider both paper and electronic versions of the information. Electronic copying is much easier to do, but also protect paper copies.

When you outsource parts of the business, review the terms of the outsourcing agreements to make sure that third-party providers undertake to never disclose any information you disclose to them, unless required by law. Also, make sure employment and agent agreements include covenants with similar effect.

Know the Rules

As I have written in previous columns, card Association rules are, in most cases, the predominant body of law in this industry. For better or worse, as a participant in this industry, it's up to you to know the rules that apply to you.

Take time to discuss information-collection and storage rules applying to you with the risk manager at your processor or bank. The processor or bank has a general duty to inform you of what those rules are. Don't let it not tell you. To the extent possible, obtain copies of the rules and read them; make them available in your office, and make it mandatory for employees to know the rules.

Prepare for Audits

Companies in this industry should never be afraid of a security audit, and they should always be ready for one. Make it part of your standard operating procedure to self-audit security systems and ensure that you are in compliance with all applicable Association rules, including the Payment Card Industry (PCI) Data Security Standard, if necessary.

It's better to make improvements following a routine audit than following an audit triggered by a breach. Be fastidious about record-keeping when it comes to your internal rules, audits and all compliance certificates.

Talk to Your Bank

Banks are great at shunting responsibility to processors and ISOs. You don't need to read more than a couple of paragraphs of an ISO agreement to learn that. Never forget that a bank has a duty to inform you of your obligations in respect to any information you collect or handle on its behalf.

Be proactive in getting a clear idea from your bank of its rules and how it expects you to comply with them. I would probably have fewer clients if ISOs spent more time communicating with their sponsoring banks to make sure that both parties' expectations are the same.

Be Proud of Being Compliant

If you are PCI-compliant (or compliant with any other industry security standard) let people know about it. All business partners will be interested to know what level of compliance your business has achieved. Informing your business associates about your compliance will provide them with the kind of comfort they will increasingly want.

If in Doubt, Say No

There will be times when you will have to choose between solutions that require greater contact with nonpublic personal information and less contact. If in doubt, choose the option in which you will have less contact with that information.

Instead of providing a description of the applicable legislation and rules, I offered a set of principles that should help you try to minimize liability for the holding of cardholder information. Let's face it, mistakes will happen. Hopefully these principles will help you reduce the opportunity for mistakes. You can also use them to show a potential plaintiff that you have made a good faith effort to avoid unnecessary breaches of security.

In publishing The Green Sheet, neither the author nor the publisher is engaged in rendering legal, accounting or other professional services. If you require legal advice or other expert assistance, seek the services of a competent professional. For more information on this article, e-mail Adam Atlas, Attorney at Law at atlas@adamatlas.com or call him at 514-842-0886.