Some Important Information You Should Know about New Security Regulations from the Credit Card Industry.
The health club industry was one of the first to embrace the technology of Electronic Funds Transfer and credit card monthly membership dues billing. There are technology providers in our marketplace that count themselves among the many pioneers in this area.
The Information Age continues to expand, with more and more people getting “wired.” People are connected across the country, the continent and the world. The benefits of the expanded knowledgebase are immeasurable, but there are also significant risks.
News stories appear on a regular basis describing security breaks where sensitive data was compromised. Unscrupulous individuals try to take advantage of online security weaknesses – or a complete absence of any security – to get valuable banking or credit card information which they either use or sell.
These security breaches lead to extensive fraud, costing everyone more money with increased banking fees; increased merchant discount rates and ultimately, increased product and service prices.
The banking industry, and the payment card industry, have instituted programs to try to reduce the instances of fraud in electronic transactions. All U.S. banks have instituted more safeguards to “know your customer.” They have new requirements for online transactions, such as requiring two-factor authentication. Some banks even require different individuals to send and then clear individual batches of transactions.
The payment card industry has taken it a step further and instituted a set of comprehensive requirements to protect valuable cardholder data. The Cardholder Information Security Program (CISP) includes 12 specific requirements that have to be met by any thirdparty processor which stores credit card information. You can verify that your processor is certified by checking the list available at: www.visa.com/cisp.
Some of the requirements of the CISP are also “best practices” that should be implemented at your own health club facility, such as:
• Install and maintain a firewall to protect cardholder data. If you have a connection to the Internet in your health club, make sure you have a firewall installed. Although software firewalls do exist and often come preloaded with your computer operating system, they sometimes interfere with the use of off-the-shelf software programs. Hardware firewalls are also available and can be purchased for very reasonable prices.
• Encrypt transmission of cardholder data. If you are processing monthly billing files, verify that the file is encrypted when it is moving between your facility and your bank or third-party processor. At a minimum, 128-bit encryption should be used when transferring electronic data. Also, the data should be encrypted as it is stored in your billing database.
• Use and regularly update anti-virus software. Computer users can unwittingly download a virus that is attached to an email. Malicious people will use these viruses to attack or collect data on your network. It is not only important to have anti-virus software installed on each computer in your facility, but you also want to verify that the virus definitions are updated on at least a weekly basis.
• Restrict access to cardholder data by business needto- know. There are many excellent club management software packages available to club owners and operators. Verify that, at a minimum, you can restrict users of the system to only those modules they need. Specifically, only the people who handle your membership billing should have access to billing account information in your computer system.
• Assign a unique ID to each person with computer access. Verify that your club management software has the ability to set up user names and passwords for each authorized individual. As an added level of security, the passwords should be required to change periodically; passwords should require a combination of both numbers and letters; some number of invalid logins in a row should lock the account; and an account that is inactive for some period should be locked.
• Restrict physical access to cardholder data. Physical access to cardholder data comes in two forms: both the membership contract and any printed reports from your computer system.
•With a membership contract, you must collect the banking or credit card information in order to facilitate monthly billing. It is a good practice to keep the contracts in a locked, secure area of your facility. Also, make sure any reports you print that include the full account number are marked as confidential and are stored in that secure area as well.
•Your software provider may also have a paperless contract option. If so, make sure the account number is encrypted within the system, and that they follow all security protocols for storage of this information.
Data security is now at the forefront of everyone’s mind, and it is the responsibility of every person involved in the electronic payment industry. Just as the health club industry was a pioneer in electronic payments, we all need to be pioneers on the frontier of data security.
MJ Laliberte is the General Manager of Twin Oaks Software. She can be contacted at 860.829.6000, or visit www.tosd.com.