PCI & Red Flag Compliance For the Utility Industry

1

Presented by: James Caperton

Agenda

1. I.D. Theft Overview 2. What you need to know about

PCI Compliance 3. What you need to know about

Red Flag Compliance 4. Recap 5. Q & A

2

ONLINE Utility Exchange

• Established in 1956 • Originally a small merchant credit bureau

(Equifax Affiliate) • Bureau business purchased by Equifax in

1997 • Focus shifted from reporting past credit

history to Identity Theft mitigation, credit risk assessment and debt management solutions

3

Identity Theft in America

• Up to 70 million consumers affected by Target data breach

• Anthem (BCBS) up 80 million victims • Losses totaled $24.7 billion in 2013 w/

approximately 16 million victims • 13% of stolen information was used to

open a utility account or related service.

4

What is PCI Compliance

A set of requirements designed to ensure ALL companies that Process, Store, or Transmit credit card information maintain a secure environment.

5

Who has to comply?

Essentially any company that has a Merchant I.D. If you take Credit Card Payments you have to comply.

6

How To Comply w/ PCI Regs. ● Maintain Physical Security For the

Workplace ● Application Security (Webserver,

Databases) ● Network Security (Firewalls, SSL Certs) ● Server Security (Hardened Operating

Systems, Log Management) ● Administrative Security (Secure Access w/

two-factor authentication) ● Data Backup (good rule of thumb is nightly,

kept 14 days)

7

How To Comply w/ PCI Regs. ● Security Audits (Internal & 3rd Party) ● Access Control to Servers ● Maintain Policies ● Incident Response ● Annual Risk Assessment ● Data Management ● Application Management

8

What are Red Flag Rules ● The Red Flags Rule is based on Sections 114 & 315 of

the Fair and Accurate Credit Transactions Act (FACTA) of 2003.

● Rule sets out how certain businesses and

organizations must develop, implement, and administer their Identity Theft Prevention Programs.

● The Program has set forth four elements to prevent

the threat of Identity theft.

9

Prevention Elements 1. Identify Relevant Red Flags

*Identify likely business-specific ID Theft R.F. 2. Detect Red Flags *Define procedures to detect R.F. in procedures 3. Prevent & Mitigate Identity Theft *Act to prevent & mitigate harm 4. Update Program *Maintain R.F. Policy including staff education

10

11

Good Match

• The information on the application matches the information on the credit file.

• The consumer’s ID is validated for you

12

SSN Verification Messages

Match to Other Name

The SSN you entered is associated with another name.

i. A drop-down menu will display the other names

ii. Many times, there is a simple name variation (middle initial, maiden name, shortened or lengthened version of first name)

iii.Other times a totally different name will appear

13

SSN Verification Messages

Match to Other Name (cont)

Does Match to Other Name indicate fraud?

• Simple name variations can be easily identified with the applicant (“Ma’am, have you ever gone by another last name?”)

• When a totally different name displays, this could be the result of a “keystroke error” from another company performing a credit check

14

SSN Verification Messages

Match to Other Name (cont)

Do’s and Don’ts with Match to Other Name

Do • Verify that you entered the SSN correctly

▪ If not, run a new Utility Exchange report

• If the SSN was entered correctly, ask the applicant to provide valid ID (Example statement: “I can’t seem to verify your identity, will you please provide a Social Security card and drivers license?”

• If applicants are concerned about identity theft, encourage them to regularly check their credit

15

SSN Verification Messages

Match to Other Name (cont)

Do’s and Don’ts with Match to Other Name

Don’t • Say that SSN is being used by someone else

• Give the other name to the applicant

• Tell the applicant the Match to Other Name status needs to be corrected

16

SSN Verification Messages

No Record Found

• The SSN hasn’t been used to apply for anything requiring a credit check

▪ Common with younger applicants

▪ Does not necessarily indicate that the SSN is invalid or “bad”

• Ask applicant to provide valid ID

17

SSN Verification Messages

No Match

• One of the strongest indicators of fraud, but it doesn’t necessarily mean that fraud has actually happened yet

• The name and SSN entered have never been associated with one another

• Ask applicant to provide valid ID, no further action is required

18

SSN Verification Messages

Deceased

• Displays when either the credit bureau or the Social Security Administration have the SSN labeled as deceased

• How to handle the deceased status

i. Verify the SSN was entered correctly

▪ If the SSN was transposed, it could be the SSN linked to a deceased individual

• If the SSN is correct, ask the applicant to provide valid ID

19

SSN Verification Messages

Deceased (cont)

What next?

Once you validate the identity of your applicant, how you handle the deceased status depends on what alert displays under the status.

i. If the alert indicates that a “tradeline” is reported as deceased, that means the credit bureau lists the SSN as deceased on one or more accounts

a) Contact ONLINE Customer Service, as we can work with the bureau to get the status corrected on future reports and can advise on what the consumer will need to provide us

b) If the alert does not mention a tradeline, refer the applicant to the Social Security Administration

20

SSN Verification Messages

Non-Issued

• Displays when there is no record of an SSN being issued by the Social Security Administration

i. It does not necessarily mean the SSN is not valid. SSN randomization makes it difficult to track whether and when the Administration issued an SSN.

• Request valid ID from the applicant

21

SSN Verification Messages

What should I do?

• In most cases, all you need to do is ask the applicant to provide a valid ID ▪ Social Security card ▪ Drivers license ▪ Passport ▪ Birth certificate ▪ Letter from the SSA

• Ask applicant to provide ID documents in person ▪ Email is not recommended

22

Red Flag Overview

• Ensures the information on the consumer’s application matches the information on credit file. This helps validate the applicant’s identity.

• Benefits of following SSN verification messages

▪ Protects your business from fraud, a major source of bad debt

▪ Protects the applicant’s identity/prevents ID theft

▪ Keeps your business in compliance with federal ID verification regulations

23

PCI & Red Flag Compliance

Q&A

24

25

Questions? Thank you!

Toll-free Customer Service/Tech Support. . . . . . . . . . . . . .800.234.7683 Email. . . . . . . . . . . . . . . . . . . . . . . . . . . CustomerService@ONLINEis.com Website. . . . . . . . . . . . . . . . . . . . . . . . . www.ONLINEUtilityExchange.com