Credit Card Security

Credit card security is increasingly becoming an issue.  A couple of years ago, TJ Maxx reported theft of up to 45 million credit card numbers.  More recently, Heartland Payment Systems reported theft of 100 million numbers.  I used to think that stealing a credit card number would be relatively easy, but that purchasing something would lead the authorities right to the front door of the thief.  These days, it is a global problem, and criminals are finding ways to steal without getting caught.

I have a pretty good sense about these things, and in general, I stay out of trouble.  I avoid suspicious downloads, and I only purchase from sites I trust.  In over 20 years of computing, I can count on one hand the number of times I have been infected by a virus, yet in the past 3 months, I have had two fraudulent charges on two different cards.  Google found quite a few instances of other people receiving the same charges I did, and at the same time.  The image of some script kiddie in Nigeria doing this stuff has been erased.  These guys are sophisticated and organized.

It’s no surprise then that credit card companies are clamping down on security requirements for their merchants and software vendors.  We were in the process of adding credit card processing to our application, when our processing partner told us we would have to become PCI PA-DSS compliant.  Evidently, any application that “stores, processes, or transmits” credit card data must go through the compliance process.  That can cost up to $30,000 for the initial review, plus annual costs to keep it current.  The processor offered to walk us through the process and cut our costs to around $15,000.  Um… thanks, but no thanks.  I told them one reason we choose a partner like them is so we don’t have to go through crap like this, but they weren’t able to offer another solution.  Fortunately, we were able to find another partner (X-charge) that integrates with our app in a way that it never has to see a credit card number.  Problem solved.  If your app or web site collects or processes credit card info, chances are PCI will be knocking on your door.