As if Kmart doesn’t have enough problems, the company in June announced that a malicious code (virus) had infected its store payment data systems. The attackers behind the code used the stolen data to create fraudulent credit cards and then make purchases. This type of event seems to happen every day now, and with the international nature of the Internet and hacking capabilities, credit card data breaches show no sign of abating.
For companies that accept credit cards, the need to stay on top of the latest trends in data security and payment processing also shows no sign of abating. That’s why Resort Trades has checked in with three experts in the field to find out what you need to know now. Here are two potential areas of concern for the timeshare industry.
“Simply put, if you want to continue to accept credit cards in your business, you must use a PCI (Payment Card Industry)-compliant process,” says Sonja Yurkiw, senior vice president and general counsel at Concord Servicing Corp. “PCI compliance does not mean you are perfectly secure, but it is the minimum requirement for accepting credit cards.”
According to Yurkiw, any organization, such as a credit card processing company, that claims to be PCI compliant should be able to produce certification to that effect. To verify compliance, you can consult https://www.pcisecuritystandards.org. There are levels of compliance, and some levels only require self-certification. “In such a case, you should review your vendor’s full security plan to ensure they have taken all necessary steps to protect credit card and other sensitive data,” she says.
There are two types of credit card transactions. Card Present transactions are usually at check-in desks, resort gift shops or sales centers. For card present transactions, everyone should have now shifted to Europay, MasterCard and Visa (EMV) technology, which relies on a chip card. “EMV cards have significantly enhanced imbedded technology to lessen the possibility of fraud in a Card Present environment,” says Jeff Sites, a partner at Customized Solutions, which is a division of Gildersleeve Partners LLC. “When a customer presents a card for payment, it’s much easier to tell if that card actually belongs to them.” Companies that haven’t implemented the new technology risk bearing the costs of any fraud, as the issuing bank is now not liable. In addition, Sites warns that any parties not EMV-ready could face much higher costs in the event of a large data breach.
In the timeshare industry, many more payments fall into the second category, Card Not Present. This includes telephone and Internet transactions, such as maintenance fee and mortgage payments. There are industry standards that apply to all credit card transactions. “Data security is key,” says Odilia Guiant, senior vice president of finance and client experience at ResortCom International. “There need to be standards set for how employees handle data. For example, everything should be entered into and managed within the systems that you provide. Don’t allow cellphones on the sales floor, don’t write down credit card numbers.”
To ensure that your company is meeting industry standards, you may want to retain a Payment Card Industry Data Security Standard (PCI-DSS) expert. “Even if you believe you’re compliant, hire an expert to review your process,” Yurkiw advises. “Several methods are available to protect credit card data, including black box technology or full tokenization. A Qualified Security Analyst is skilled in this area and will provide guidance as to the most efficient and secure solution for your organization. In the alternative, outsource your payment processing to an organization that has already gone through the exhaustive effort of becoming PCI compliant.”
For phone transactions, ResortCom is moving to a new system where consumers enter their own information during the call using the keypad. This would mean that the employee would not have access to the credit card number.
ResortCom also uses a system called vaultless tokenization to encrypt data. Tokenization substitutes sensitive or confidential information with a token. In vaultless tokenization, a token may be generated using the original primary account number and a secret key or parameter that allows calculation of the account number and token. “This means that even if someone somehow got the keys to the castle, they still wouldn’t be able to obtain the customer’s data,” Guiant explains.
Be particularly mindful of any storage of credit card data on your system. If you’re recording your phone calls or storing data during online transactions, be sure those storage methods are in keeping with PCI protocol as well, Yurkiw advises.
A secondary area of concern for companies that accept credit cards is keeping the fees charged by credit card processors as low as possible. In order to do that, the experts advise reducing the percentage of credit card transactions challenged by consumers as low as possible. “The industry as a whole does a very good job with change backs except for merchant accounts used for sales activities,” Sites says. “In order to take advantage of lower rates or future technology opportunities, you will need a track record of low charge backs. If you have a less than 1 percent charge back rate, then you’re probably in good shape. If you go over 1 percent, that’s not so good. As merchant credit card rates continue to drop, underwriting standards have gone up.”
ResortCom works with its clients to manage charge backs. “The biggest issue is buyers’ remorse,” Guiant says. “This is a passion sale; buyers are vacation and dreaming of future vacations, then when they return home they have to deal with the reality. The best thing to do is to have a really good and solid process for managing consumer remorse.”
That process should include responding rapidly and clearly to any consumer questions–within a minimum of 24 hours. “You have to have a department where consumers can go and get an immediate response,” she says. “When questions come up, you can adapt that into your sales process and the hold the salespeople responsible if needed.”
In cases where the issues can’t be resolved, it may be wisest to simply cancel the sale rather than have the consumer challenge the transaction with their credit card company.
If ResortCom’s clients are getting close to having more than 1 percent of their transactions charged back, they will conduct a review and even send personnel to review processes and educate personnel.
For mortgage payments and maintenance fees, the percentage of transactions that are charged back is minimal, Guiant says. “That’s usually when there is a dispute about the delivery of services, but it’s still a very, very small percentage.”