pci & red flag compliance for the utility industry · 2015-02-27 · pci & red flag...
TRANSCRIPT
PCI & Red Flag Compliance For the Utility Industry
1
Presented by: James Caperton
Agenda
1. I.D. Theft Overview 2. What you need to know about
PCI Compliance 3. What you need to know about
Red Flag Compliance 4. Recap 5. Q & A
2
ONLINE Utility Exchange
• Established in 1956 • Originally a small merchant credit bureau
(Equifax Affiliate) • Bureau business purchased by Equifax in
1997 • Focus shifted from reporting past credit
history to Identity Theft mitigation, credit risk assessment and debt management solutions
3
Identity Theft in America
• Up to 70 million consumers affected by Target data breach
• Anthem (BCBS) up 80 million victims • Losses totaled $24.7 billion in 2013 w/
approximately 16 million victims • 13% of stolen information was used to
open a utility account or related service.
4
What is PCI Compliance
A set of requirements designed to ensure ALL companies that Process, Store, or Transmit credit card information maintain a secure environment.
5
Who has to comply?
Essentially any company that has a Merchant I.D. If you take Credit Card Payments you have to comply.
6
How To Comply w/ PCI Regs. ● Maintain Physical Security For the
Workplace ● Application Security (Webserver,
Databases) ● Network Security (Firewalls, SSL Certs) ● Server Security (Hardened Operating
Systems, Log Management) ● Administrative Security (Secure Access w/
two-factor authentication) ● Data Backup (good rule of thumb is nightly,
kept 14 days)
7
How To Comply w/ PCI Regs. ● Security Audits (Internal & 3rd Party) ● Access Control to Servers ● Maintain Policies ● Incident Response ● Annual Risk Assessment ● Data Management ● Application Management
8
What are Red Flag Rules ● The Red Flags Rule is based on Sections 114 & 315 of
the Fair and Accurate Credit Transactions Act (FACTA) of 2003.
● Rule sets out how certain businesses and
organizations must develop, implement, and administer their Identity Theft Prevention Programs.
● The Program has set forth four elements to prevent
the threat of Identity theft.
9
Prevention Elements 1. Identify Relevant Red Flags
*Identify likely business-specific ID Theft R.F. 2. Detect Red Flags *Define procedures to detect R.F. in procedures 3. Prevent & Mitigate Identity Theft *Act to prevent & mitigate harm 4. Update Program *Maintain R.F. Policy including staff education
10
11
Good Match
• The information on the application matches the information on the credit file.
• The consumer’s ID is validated for you
12
SSN Verification Messages
Match to Other Name
The SSN you entered is associated with another name.
i. A drop-down menu will display the other names
ii. Many times, there is a simple name variation (middle initial, maiden name, shortened or lengthened version of first name)
iii.Other times a totally different name will appear
13
SSN Verification Messages
Match to Other Name (cont)
Does Match to Other Name indicate fraud?
• Simple name variations can be easily identified with the applicant (“Ma’am, have you ever gone by another last name?”)
• When a totally different name displays, this could be the result of a “keystroke error” from another company performing a credit check
14
SSN Verification Messages
Match to Other Name (cont)
Do’s and Don’ts with Match to Other Name
Do • Verify that you entered the SSN correctly
▪ If not, run a new Utility Exchange report
• If the SSN was entered correctly, ask the applicant to provide valid ID (Example statement: “I can’t seem to verify your identity, will you please provide a Social Security card and drivers license?”
• If applicants are concerned about identity theft, encourage them to regularly check their credit
15
SSN Verification Messages
Match to Other Name (cont)
Do’s and Don’ts with Match to Other Name
Don’t • Say that SSN is being used by someone else
• Give the other name to the applicant
• Tell the applicant the Match to Other Name status needs to be corrected
16
SSN Verification Messages
No Record Found
• The SSN hasn’t been used to apply for anything requiring a credit check
▪ Common with younger applicants
▪ Does not necessarily indicate that the SSN is invalid or “bad”
• Ask applicant to provide valid ID
17
SSN Verification Messages
No Match
• One of the strongest indicators of fraud, but it doesn’t necessarily mean that fraud has actually happened yet
• The name and SSN entered have never been associated with one another
• Ask applicant to provide valid ID, no further action is required
18
SSN Verification Messages
Deceased
• Displays when either the credit bureau or the Social Security Administration have the SSN labeled as deceased
• How to handle the deceased status
i. Verify the SSN was entered correctly
▪ If the SSN was transposed, it could be the SSN linked to a deceased individual
• If the SSN is correct, ask the applicant to provide valid ID
19
SSN Verification Messages
Deceased (cont)
What next?
Once you validate the identity of your applicant, how you handle the deceased status depends on what alert displays under the status.
i. If the alert indicates that a “tradeline” is reported as deceased, that means the credit bureau lists the SSN as deceased on one or more accounts
a) Contact ONLINE Customer Service, as we can work with the bureau to get the status corrected on future reports and can advise on what the consumer will need to provide us
b) If the alert does not mention a tradeline, refer the applicant to the Social Security Administration
20
SSN Verification Messages
Non-Issued
• Displays when there is no record of an SSN being issued by the Social Security Administration
i. It does not necessarily mean the SSN is not valid. SSN randomization makes it difficult to track whether and when the Administration issued an SSN.
• Request valid ID from the applicant
21
SSN Verification Messages
What should I do?
• In most cases, all you need to do is ask the applicant to provide a valid ID ▪ Social Security card ▪ Drivers license ▪ Passport ▪ Birth certificate ▪ Letter from the SSA
• Ask applicant to provide ID documents in person ▪ Email is not recommended
22
Red Flag Overview
• Ensures the information on the consumer’s application matches the information on credit file. This helps validate the applicant’s identity.
• Benefits of following SSN verification messages
▪ Protects your business from fraud, a major source of bad debt
▪ Protects the applicant’s identity/prevents ID theft
▪ Keeps your business in compliance with federal ID verification regulations
23
PCI & Red Flag Compliance
Q&A
24
25
Questions? Thank you!
Toll-free Customer Service/Tech Support. . . . . . . . . . . . . .800.234.7683 Email. . . . . . . . . . . . . . . . . . . . . . . . . . . [email protected] Website. . . . . . . . . . . . . . . . . . . . . . . . . www.ONLINEUtilityExchange.com