The leader of an organization promoting tougher credit card security standards is downplaying the impact of the standards on the debt purchasing and collection industry.
The Payment Card Industry Data Security Standards, known as PCI, is a set of security rules designed to ensure cardholder data is safe from computer hackers and other crooks. The major card brands – American Express Co., Discover Financial Services, JCB International, MasterCard Inc. and Visa – joined to form the PCI Security Standards Council to oversee compliance with the standards.
Bob Russo, the council’s general manager, said the standards are designed to specifically guard against unauthorized use of the information on a credit card, such as the account number, and the data stored on the magnetic strip on the back of the card.
“Our concern is payment card fraud. The standard seeks to protect the credit card number on the front of the card and the magnetic strip information,” he said.
Typically, card issuers will deactivate a card number before selling it to a debt purchaser, said Russo. Once the number is deactivated, the card doesn’t have to be PCI compliant, he said. It’s conceivable that an issuer could reactivate a number and sell it to a purchaser — though that doesn’t seem likely, especially since the cardholder wasn’t paying his debt, he said.
Russo suggested purchasers and agencies contact issuers to determine if the issuer would demand a card remain PCI compliant after it has been deactivated.
The standards are designed as comprehensive, multifaceted “requirements for security management, policies, procedures, network architecture, software design, and other critical protective measures” to ensure customer payment account data is secure, according to the council. More than 270 firms, including credit card issuers, merchants, card processors, and computer hardware and software developers, are members of the council, according to a spokesperson.
The creation of the PCI standards sent issuers and merchants scrambling to meet the security requirements. Stories of lost and stolen consumer data have made headlines the last few years with the affected issuers and merchants spending millions to make their customers whole.