GS Logo
The Green Sheet, Inc

Please Log in

A Thing

Street SmartsSM:
Security and the MLS

By Kathy Harper

In light of the recent security breach at payment processor CardSystems Solutions Inc., I began thinking about the obligation of merchant level salespeople (MLSs) in regard to securing their client's data. How vulnerable is this information, and what are the repercussions to agents if a breach occurs in their own system?

To find out what the feet on the street think about this issue, I posted the following questions on GS Online's MLS Forum:

Considering everything that has come to light lately regarding security, how is the average MLS handling the security of his or her client's data? What steps do you as an MLS take to protect the Social Security numbers and banking information of your clients? As an ISO, what steps would you like to see MLSs take to secure this data?

Following are two responses received:

"As far as security, we have always had all the applications locked in-room and only myself and my business partner have access to merchant files. Plus, we shred anything that has info on it that we don't want to keep." - ccguy

"I often bring up this issue with a potential customer. They are often being approached by an array of reps walking in their door as well as phone calls and faxes from ... who knows? I remind them of the risk they are taking giving someone they don't know all their personal info such as Social Security number, bank info, etc. Do they want to give all this personal info to someone that just walks in their door or calls them on the phone?

"Fear can be a motivating factor when the merchant is made aware of the risk they are taking here. Being a local rep, meeting face to face has a big advantage when it comes to making the merchant feel more comfortable in giving you their personal info." - Neil

Data security is a sensitive subject that we should all take very seriously. Payments is not the only industry that deals with a large amount of sensitive client information. Following are other industries that regularly collect Social Security and banking information from customers:

  • Insurance
  • Utilities
  • Public schools
  • Finance and accounting
  • Home security
  • Health clubs
  • Telecommunications
  • Property management
  • Pest control
  • Healthcare

The Cat and My Social Security Number

About a month ago, I rushed our pet cat to the closest veterinarian after it was hit by a car. When the vet determined there was nothing to do but put the poor thing out of its misery, I agreed. I took my daughter home and then went back for the body 30 minutes later so we could bury it.

When I returned, the high school kid behind the counter asked for my Social Security number. I questioned this policy, explaining that I paid in cash and didn't plan to bring the cat back for any further treatment, but still she wanted the number.

I asked her what the vet would do with the information if I provided it, and she said they would store it in a very safe place in my file. I asked where they kept the files, and she pointed to shelves behind her. They were within easy reach from the counter.

MLSs Protecting Data

For businesses in many industries, it is often routine to request Social Security numbers from clients. As MLSs, we shouldn't feel defensive when asked how we store our client's information. In my opinion, we do a much better job than other businesses.

For instance, we know to lock our cars whenever we leave the vehicle; we place sensitive information in the trunk when possible; and we never leave files lying on the front seat. We use paper shredders to destroy documents or we lock them in file cabinets. We don't discuss client information with anyone other than our ISOs or vendors.

These are all common-sense approaches that every ISO requires of us, and I believe we do an excellent job of securing data in this manner.

While some of us work in an office, most of us work from our homes. Neil Mink, an MLS in Alabama, uses a deadbolt lock on his home office door. He recommended this for anyone who works from home.

With a teenager in my house, I agree with Mink that the office door should be locked with a deadbolt. Even if you are one of the lucky parents who absolutely trusts your child, do you trust their friends?

Whether you work from home or outside of it, ensure that housekeepers, repairmen and even landlords do not have access to client data. If you don't already have an alarm system, install one. Also, know who has keys to your office. While ISOs routinely perform background checks on their agents, if you employ anyone, do the same.

In the event of your death, does your family know that they should shred all client documents?

Some older model fax machines, the ones with the cartridges, retain all the faxed information on the cartridge. If using one of these models, unroll the cartridge and hold it up to the light. You'll be amazed at the detail of faxed information still there. Before discarding the cartridge, secure this data by destroying it.

James English of Business Payment Systems (BPS) has come up with what seems to be a foolproof system to protect his client's data. Although he said that locking file cabinets is always a must, he also destroys clients' data after they are up and running.

He first checks to make sure that they are receiving deposits into their account. Then he destroys their data and relies on BPS to supply him with it if needed in the future. Why would we need all our clients' data after they are up and running? This system would certainly save us space in our offices.

I spoke with fellow NAOPP Board member Ernie Crews about this issue. He thinks that the average MLS has so few accounts compared with the average ISO office, that MLSs are not at the top of the list of entities with which the "powers that be" should be concerned.

Crews said MLSs are very similar to insurance agents and even bank employees who handle merchant processing accounts. If we work for a bank and the bank is not open, we will still write that account, even if it's the weekend and we can't place the information in the bank safe until Monday (would it go there anyway?).

Not all agents must worry about securing data in their car because they predominantly work from home and handle everything by fax, e-mail and phone. To get a better idea of the precautions these agents should take, I spoke with Anthony Lindo of ZitechLogic Inc., a Web consulting company.

Lindo said it takes a great deal of skill for someone to hack into a computer system, but still it is possible. He recommends turning off the computer and disconnecting it from the Internet source when the workday is done. He also said that traditionally, most hackers work in the early hours of the morning; taking this simple step might help prevent an attack.

Although most online fax services and e-mail servers are secure, it is possible for someone to gain access to your e-mail by hacking into your Internet service provider's (ISP) system. Lindo recommended using a well-known ISP to help prevent this rare, but possible, event.

Other precautions to take: Consider adding a disclaimer to each e-mail; use a firewall system such as Norton Antivirus; install and frequently run an antispyware program; never use file sharing software; and when it's time to replace the computer, remove the hard drive first and destroy it.

Addressing MLS Liability

Let's say you've taken all the necessary steps to secure client information and you feel good about the level of security provided.

You've had a good week on the road, and with Friday's applications locked safely in the trunk of the car, you decide to reward yourself by meeting some buddies for a drink before heading home. When ready to leave, you discover that your car has been stolen, client files and all.

I spoke with Attorney Adam Atlas who specializes in the bankcard industry to find out what an agent's liability would be and what steps an agent should take in this instance to protect himself and clients.

Atlas described the situation as losing nonpublic personal information. If harm comes to merchants as a result of agents losing this data, two parties would have a right of action against the agents.

One party is the merchant under privacy legislation or common tort law, the other party is the processor under the terms of the agent agreement.

If we as agents lose data and harm comes to the merchant, we are on the hook with the merchant, processor and card Associations. All contracts now have provisions for this. Banks are tightening up their security requirements, and everyone in the industry should come up to speed on this.

If in this situation, Atlas recommends immediately notifying the processor and merchants in question so they can quickly cancel any affected cards or accounts. He also recommends contacting local law enforcement.

He said one of the risks to agents is that the merchant or processor might suspect them as the party responsible for the lost or compromised data. Transparency is therefore important to avoid confusion.

One way to reduce the chances of being wrongly suspected for the theft is to report it to the police. Do the report in conjunction with the processor; the processor should not find out about the theft from the police. Agents need to understand and explain to merchants why they have to collect their information because merchants have a right to know.

Atlas also recommends taking the following precaution when filling out merchant applications: Don't take down sensitive information in front of a third party or display data on a car seat.

Agents should take a little comfort in the fact that claims of this kind will probably be limited by the actual damage done to the merchant. If it is not the agents' fault, this should not preclude them from continuing in this industry, although they may not be able to do so with their current processor.

Following the guidelines set forth by the processor and using common sense and safe business practices will ensure trust from both the processor and merchants. Our livelihoods depend on this trust.

(In case you are wondering, the vet did not get my Social Security number!)

Kathy Harper of Griffin, Ga. is an MLS and President of NAOPP. E-mail her at advpaytec@aol.com or call her at 770-843-3399.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.
Back Next Index © 2005, The Green Sheet, Inc.