CHICAGO — While independent sales organizations stringently keep up their compliance with the Payment Card Industry data security standard, they don't always protect non-payments data and paper records as diligently.

Be "very cognizant that there is huge risk and liability when [merchant data] information is made available," Betsy Bohlen, vice president of Pueblo Bank and Trust, a sponsor bank, said during the Midwest Acquirers Association's 11th annual conference.

Bohlen spoke about a friend who went to see an insurance agent. When the friend sat down to speak with the agent there were stacks of papers on the desk with other people’s personal information visible throughout their discussion.

"Good people can become bad people very quickly," she says.

Adding physical security is the biggest step to keeping merchant data secure.

"Eliminating paper would be the highest on the list of wants," says Bohlen. "In the future… [you] don’t have to worry about the cleaning lady reaching into a file cabinet to get information if the file cabinet is empty."

Merchants can keep files with personal information encrypted in the cloud, Bohlen suggests.

But until all companies go paperless, they will need to take steps to protect physical records, says Nicole Palella, chief risk officer at BluePay Processing. These steps include locking file cabinets and shredding documents.

"There are things that can be done and they don’t have to be expensive," she says. "One of the easiest things is investing in a lock."

Companies should also change passwords and make sure employee passwords are strong, she says. And making sure computers are turned off when employees are away from them is also a practice to teach staff.

Keeping merchant data secure "may be cumbersome but it’s a reality of our industry today," says Deana Rich, CEO and founder of Deana Rich Consulting Inc. "Look at the manual workarounds before you worry about the big expensive systems and builds."

Protecting personal information is a "very hot topic on the federal legislative level," says Holli Targan, a partner in the Southfield office of Jaffe Raitt Heuer & Weiss. In the House currently, there’s a hearing on whether federal legislation is needed to protect consumers' personal information, she says. The federal government defines consumers as merchants as well.

Subscribe Now

Authoritative analysis and perspective for every segment of the payments industry

14-Day Free Trial

Authoritative analysis and perspective for every segment of the industry