Introduction:
The internet has revolutionised our world and with it a new way to shop. The ability to purchase things online with just a few clicks is something that has never existed before. This convenience, ease, and security has led to an explosion of e-commerce in recent years and the emergence of online shopping as one of the biggest markets in the world.
Unfortunately this convenience also comes at a price. One significant risk associated with e-commerce is how payment information is processed when it goes from your personal bank card directly into the hands of a store or other merchant that you may not know anything about. There are a number of companies that process these payments and are designed to be “intermediaries” between buyers and sellers. They are called payment processors.
What are High Risk Payment Processors?
“…High Risk Payment Processor (HRPP) is defined as a third-party organisation that has access to payment card account information (e.g., credit or debit cardholder name, account number, applicable expiration date, security code and/or related data) and/or other sensitive personal information or transaction-related information of merchants or customers. The term high risk payment processor shall include but not be limited to third party resellers or aggregators of payment processing services who provide the processing capabilities for third parties.” -Background on High Risks
What do HRPPs Do?
“High Risk Payment Processors shall process payments for merchants who accept payment cards, primarily through an Internet or telephone channel. Payment card transactions include credit and debit card transactions, as well as check and money order transactions processed through a card-branded merchant account. In addition, High Risk Payment Processors may process other sensitive personal data, the loss of which can result in a significant risk to the individual whose data is compromised. Examples of sensitive personal data include, but are not limited to:
- Financial account information such as bank account numbers, credit card numbers, debit card numbers, or checks.
- Social security numbers (SSNs) and other financial or identification data used in connection with a payment card and/or the financial transactions that originate from a payment card when used for authentication purposes; or information that could enable the identification of an individual including, without limitation: name, address, telephone number and email address.” -Background on High Risks
What is a High Risk Merchant?
“High Risk Merchants are key chain stores (e.g., tobacco shops), telephone solicitor services (e.g., “900 Calls”), travel agencies (e.g., travel agencies claiming to sell airline tickets, cruises, reservations or find tour packages), car rental companies (e.g., Hertz Rent a Car, Rent-A-Car Company), and pawn shops (e.g., pawn shops claiming to retrieve lost or found valuables).” -Background on High Risks
What types of data do High Risk Payment Processors store?
“High Risk Payment Processors must store payment card account number, expiration date on all non-reloadable prepaid cards, and three-digit code for each type of card used for ATM withdrawals. Transactions that are initiated at automated teller machines (ATMs) or by telephone must be recorded in chronological order for at least ten years. High Risk Payment Processors may, if they choose, store additional transaction information but must retain the minimum set of data described above for at least five years. High Risk Payment Processors should store transaction dates, timestamps and dollar amounts, as well as all processing information.” -Background on High Risks
What types of information do High Risk Payment Processors keep in connection to credit cards?
“High Risk Payment Processors can maintain a minimum of ten years’ worth of transaction history for credit cards (with a maximum retention period of ten years calculated from the most recent purchase). A High Risk Payment Processor that processes transactions through an Internet site must provide a statement indicating the basic purpose and useful life span of the computer.
Conclusion:
The entire point of High Risk Payment Processors is to be an “intermediary” in the payment process to handle sensitive data and keep it safe. The problem with this is that these companies are often one of the weakest links in the security chain as they can be an easy target for cyber attacks. In fact, they are often targets as they represent a lucrative market for hackers trying to make a quick buck selling stolen credit cards and other sensitive data.
So if you have some sort of business account with a High Risk Payment Processor or you process payments at your site on behalf of customers, you may want to look into securing it better than I did on my first website which was compromised and ended up costing me thousands of dollars to rectify.