Time to Comply: Club owners who aren’t aware of a new credit card standard could be risking heavy fines.
The PGA West Health and Racquet Club is located in the affluent PGA West gated community in La Quinta, CA. The members, for the most part, earn a comfortable living.
Some members were comfortable enough that when they visited a personal trainer at PGA West's 2,100-square-foot fitness facility, they left their personal belongings, including wallets and purses, in an area of the club that was not secure. As those members recently found out, that wasn't a good idea because when they weren't looking, their personal trainer, Richard Nathan Detamble, stole some of their credit cards from inside their wallets and purses.
Seven club members were victimized, according to the Riverside County Sheriff's Department.
“To some degree, they were a little careless because they just didn't think it would happen to them,” Detective Sgt. Jorge Piñon of the Riverside County Sheriff's Department says about the victims. “As a result, this guy took advantage of the situation. It's one of those crimes that's easily available to these folks that work there.”
Detamble used the stolen credit cards to make purchases of more than $10,000 on gift cards and personal items, mostly at a Target department store. Detamble was arrested on suspicion of commercial burglary and fraudulent use of credit cards on April 25, just three days before he was to be married at the PGA West club. He was released from the Indio Jail after he posted bail. He has since been fired by PGA West.
Although Detamble stole actual credit cards and did not hack into the club's computer system for members' credit card information, this case raises questions about how secure club members' personal information is, and if that personal information is stolen from the club, who is liable?
A new standard was introduced in January 2005 and updated at the beginning of this year. The Payment Card Industry (PCI) Data Security Standard (DSS) is a set of comprehensive requirements for enhancing payment account data security. The standard was developed by the PCI Security Standards Council, which was formed last September by major credit card companies American Express, Discover, JCB, MasterCard and Visa. Merchants and service providers, including clubs, who do not comply with the payment brand security requirements are subject to penalties or fines.
A few years ago, each of these companies had their own compliance programs, and they still do, says PCI Security Standards Council General Manager Bob Russo. The formation of the council is in itself a milestone, Russo adds.
“You're talking about five of the fiercest competitors that are out there, and getting them around the same table to agree on a standard just goes to show how important security is to all of them,” Russo says.
The new standard was the main subject of the Technology Summit at the annual International Health, Racquet and Sportsclub Association (IHRSA) show in March. At that summit, presenter Michael Scott Scudder of the online-based consulting firm MSS FitBiz Connection told club owners in the audience that they could face heavy fines if they were not compliant with the standard for securing their members' personal information at their clubs. He continued by telling them that the deadline for compliance was in three days — about the time most of them would be returning home from the conference.
“We were essentially asked to get up there and say, ‘Hi, folks! You've all got cancer!’” Scudder says.
Scudder stressed to the attendees the importance of clubs protecting their members' information. Leaving folders with members' sign-up information lying around on the front desk or even in cabinets in the back office is no longer acceptable, Scudder says. Instead, clubs should put members' credit card information into a computer and make sure the data is encrypted or translated into a secret code.
Russo echoes that, saying that all electronic credit card data must be rendered unreadable. In some cases, smaller merchants still use paper to swipe card data. It must also be secured in a locked environment.
Frank Abagnale, who spoke after Scudder's presentation at the IHRSA show, is just as concerned about security as anyone. Abagnale is one of the nation's leading experts on the subjects of forgery, embezzlements and secure documents. A former forger and impostor, Abagnale was the subject of the movie “Catch Me If You Can.” His latest book is entitled “Stealing Your Life: The Ultimate Identity Theft Prevention Plan.”
As Abagnale was having lunch with the financial electronic commerce services company that sponsored the IHRSA presentation, he remarked, “I would be very concerned in this [club] industry about all of the information they take on of all the clients that come to their business and how they store that information. I have read a number of cases where an employee that has worked there has absconded with the information and sold it. I've heard about having break-ins, and the information was stolen.”
In an interview several days after the IHRSA show, Abagnale continued to stress the need to secure personal information.
“It is extremely important for every company in America no matter how small or big, including every municipality and financial institution, to be asking themselves one question: What am I doing to protect the identities of my customers and my employees?” Abagnale says.
Even after the presentation at the IHRSA show, club owners were still puzzled about whether they were compliant with the new standard or how their clubs could become compliant. Club Industry's Fitness Business Pro asked readers in a recent online poll, “Are your clubs compliant with the PCI standards?” Twelve percent answered “yes,” 6 percent answered “no,” and 82 percent didn't know what the PCI standards were.
The 12 requirements of the PCI DSS focus on securing the network of information in a computer, from installing and maintaining a firewall configuration to encrypting transmission of cardholder data across open, public networks. Companies taking payments by credit card must follow these requirements regardless of their size. However, larger companies are scrutinized more closely.
Clubs — and all merchants for that matter — are categorized in one of four levels based on the number of their transactions for one specific credit card. Level 1 merchants have more than 6 million transactions annually; Level 2 merchants have between 1 million and 6 million transactions annually; Level 3 merchants have between 20,000 and 1 million e-commerce transactions annually; and Level 4 merchants have less than 20,000 e-commerce transactions annually.
Only Level 1 merchants are required to have an annual on-site review by the merchant's internal auditor or a qualified security assessor. Merchants at all levels must fulfill a network scanning requirement on a quarterly basis using an approved scanning vendor.
Bigger clubs fall into the Level 1 or Level 2 categories. Smaller clubs are usually Level 3 or Level 4. However, a Level 3 or Level 4 merchant that is compromised or has account data stolen is automatically scrutinized at the same level as a Level 1 merchant, complete with an annual on-site review.
Only Level 1 or Level 2 merchants have to prove compliance, but Level 3 and Level 4 merchants must show that they are taking steps to be compliant, Russo says. Depending on the credit card company, Level 1 and Level 2 merchants had to show compliance by Oct. 31, 2006 or by March 31, 2007.
The PCI Security Standards Council does not levy fines for credit card fraud. Instead, fines come from the credit card companies or the merchant acquirers, which are mainly banks. Visa fined companies a total of $4.7 million in 2006, up from $3.4 million in 2005.
Clubs that are not compliant and face a breach of security could face fines ranging from $10,000 to $500,000.
“The point is, that's all payable,” Scudder says. “There are very few operators that have that kind of money around. Suppose they can't come up with the money. Then, their credit card processing privileges are going to be withdrawn from them.” That, essentially, would close a club, he adds.
The poster child for credit card breach is TJX, the parent company of T.J. Maxx, Marshalls and other retail stores. In February, TJX revealed that credit card information on at least 45.7 million customers had been stolen, making it the largest breach of customer data in history. Experts predict TJX could receive as much as a $500,000 fine.
In a smaller case last fall, Chase Card Services, a division of JP Morgan Chase & Co. that handles credit card transactions for Circuit City, informed 2.6 million current and former Circuit City credit card holders that tapes containing their personal information had been accidentally dumped in a landfill, according to a report on CRN.com.
The PCI Security Standards Council does not visit each business to determine whether or not they are compliant. Russo relates it to driving the speed limit. It is assumed people are following the speed limit until they are caught not following it, he says.
“Until you drive 100 miles an hour and you actually get caught, you don't get a ticket,” Russo says. That means that no fines will be levied unless club owners are caught, he says.
Abagnale questions why credit card companies would be so heavily involved in cracking down on fraud. If credit card companies lose 5 percent of their revenue annually to fraud, and if those companies get a 50 percent tax write-off for those losses, then those companies would be happy to live with that loss, Abagnale says.
He is concerned that credit card fraud may simply become the cost of doing business. If no one is doing anything about crime, then we are encouraging it, he says. And that's why many people in the credit card industry stress the importance of compliance.
“When you get breached, as a consumer, you don't want to use that credit card anymore, so it's detrimental to their business,” says one insider. “That's why [credit card companies are] pushing these issues. It's all about, ‘How do we make our consumers feel confident in using that credit card?’ It was financially impacting the credit card providers as well, but it was before PCI was brought to light. Now that PCI is out, of course everything is driven on the other side. The merchants are liable.”
According to the Jewish Community Center (JCC) Association of North America, at least two of its facilities are already working to become compliant. A software system is helping one of those JCCs become compliant. The software for its membership system automatically deletes credit card numbers from its database, only holding onto the last four digits of the credit card number. The other JCC says its members' information is not yet encrypted in its system but that only the last four digits of their credit cards are viewable on the computer screen.
Ray Groover, the chief financial officer of American Bodyworks in the Atlanta, GA, area, is making sure his company's four franchisees and future franchisees are compliant. Some of the company's older franchises are still taking and storing members' information on paper, but those clubs are in transition to store the information electronically, he says.
“To do this, you have to rewrite your agreement and put it into the computer as a basic document and then merge information as you put it in for each new member,” Groover says. “It's not something where we're going to be paperless tomorrow. I hope within the next two months, we'll have the systems in place.”
The hardware for this transition costs between $2,000 and $2,500 per club, Groover says. Plus, the time it takes to install the systems also factors into the overall costs. But as Groover puts it, “The cost for the upgrade is negligible compared to the loss that could be incurred if you did mishandle information.”
For more details and information about the new standard,visit the PCI Security Standards Council Web site at: www.pcisecuritystandards.org.
Payment Card Industry Data Security Standard (PCI DSS) Version 1.1
The Payment Card Industry Data Security Standard (PCI DSS) Version 1.1 is a set of comprehensive requirements for enhancing payment account data security. The PCI DSS was developed by the founding payment brands of the PCI Security Standards Council, including American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International, to help facilitate the broad adoption of consistent data security measures on a global basis.
The core of the PCI DSS is a group of principles and accompanying requirements, around which the specific elements of the DSS are organized:
Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data.
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect Cardholder Data
Requirement 3: Protect stored cardholder data.
Requirement 4: Encrypt transmission of cardholder data across open, public networks.
Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software.
Requirement 6: Develop and maintain secure systems and applications.
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know.
Requirement 8: Assign a unique ID to each person with computer access.
Requirement 9: Restrict physical access to cardholder data.
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data.
Requirement 11: Regularly test security systems and processes.
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security.