All About Credit Cards

Credit card companies regularly warn consumers about how to protect themselves from fraud when using plastic: scour statements for unauthorized purchases, shred paperwork that includes account numbers and don’t leave bills or cards on the kitchen counter when people are in your home.

But shoppers are pretty much left in the dark if they want to know if a store is keeping their credit card and debit-card transactions secure. There are a few things savvy consumers can do to check up on a retailer’s security practices before plunking down their plastic.

The card industry itself is cracking down on merchants who don’t follow industry guidelines known as the Payment Card Industry Data Security Standard, or PCI. Starting this month, Visa Inc. will start levying fines of $25,000 a month for noncompliance.

Merchants who accept plastic must install firewalls and take other measures to keep computer systems safe from hackers. They aren’t allowed to store certain sensitive data that hackers can use to make phony purchases or produce fraudulent cards.

Merchants, unfortunately, have been slow to respond. Of the 327 largest merchants, just 44% of them have validated their compliance, according to Visa.

The card companies won’t tell you who’s still breaking the rules. “Disclosing the name of compliant merchants would be like drawing a road map for the thieves,” says a Visa spokeswoman. Cardholders aren’t liable for unauthorized purchases.

Merchants also tend to be tight-lipped for similar reasons. That pretty much leaves it up to the consumcredit er to figure out. It’s not easy: Shoppers can’t see inside a merchant’s computer system.

But there are a few things to watch for.

First, industry rules and federal law prohibit merchants from printing more than the last five digits of an account number on a customer receipt. So the first clue: If a merchant is printing too much data on receipts, chances are that’s not the only hole in its system.

Look at the equipment. If the cash register has one of those old-fashioned green computer screens, chances are its security is also from a bygone era. Card-swipe devices should be enclosed in tamper-proof plastic. And as silly as it sounds, if the swipe device “looks old, dusty and dirty, it probably hasn’t been retrofitted,” says one security expert.

Some online merchants have seals on their Web sites that provide security credentials. Designersreplica.com, which sells sunglasses, has a small “credit card guard” insignia on its Web site that identifies it as a “PCI Tested Website.”

“We believe that merchants enjoy more sales because they show they are PCI-compliant,” says Michael Johnson, chief executive of ComplyGuard Networks, a New York company hired by merchants to test their systems. Next month, ComplyGuard will start providing “no-fraud zone” stickers to brick-and-mortar customers who comply with the rules.

The fact is, there are still too few guarantees when it comes to card security. Except, of course, for the foolproof method: Pay with cash.

By Robin Sidel
Credit Card Scammer Must Repay $12 Million
New Weapon against I.D. Theft?
A credit card crunch coming?