When a customer hands off a credit card to a service tech or installer, he or she expects top-of-the-line security measures, including encryption of numbers, to protect personal information from getting into the wrong hands.

If an HVAC contractor fails to encrypt a customer’s credit card number or if that same information is stored in an unsecured file cabinet or room, what could happen if that “secure” information is stolen and used to defraud a customer? The answer is one that many business owners do not want to hear: financial disaster.

The fine for failure to secure a customer’s private information can be up to $100,000 per breach occurrence. That’s according to the Advanced Merchant Services (AMS), a Member Service Provider for HSBC Bank USA, National Association, Buffalo, N.Y. Credit card companies Visa and MasterCard are levying these fines.

Now take that one occurrence and multiply it five times. A security breach of this magnitude could cost a business owner up to $500,000. It is unlikely that many HVAC contractors could absorb a $100,000 hit, let alone one for a half-million dollars.

According to the Nilson Report, which tracks payment industry data and trends, “the most typically reported and accepted quantification of card fraud are annual issuer losses. For 2005, these were estimated at about $1.1 billion for Visa, MasterCard, American Express, and Discover combined.

“Fifty percent of fraud today is merchant fraud - coming from merchants themselves,” said Paul Donihue of AMS. “Visa and MasterCard are very adamant that businesses have a secure environment. They have stepped up their efforts to increase security in the past few years. In fact, all of the credit card companies have come together on the standardization of encryption procedures.”

How serious is the problem? In January 2007, Retailer TJX Companies Inc., which runs several discount clothing and home goods stores, said that its systems had been breached by an attacker who may have stolen the credit card data of millions of customers.

In December 2005, a hacker gained access to a computer system at the University of California, Los Angeles. About 800,000 potential victims were notified. Aircraft giant Boeing Co. said last December that a company-owned laptop containing the personally identifiable information of nearly 400,000 of its employees and former workers was stolen.


To support security guidelines promoting compliance with the Cardholder Information Security Program (CISP) and the Payment Card Industry Data Security Standard (PCI DSS), in August 2006 Visa’s Cardholder Information Security Program (CISP) issued a bulletin on the “Top Five Data Security Vulnerabilities” which included “storage of track data.”

Track data is the information encoded and stored on two tracks located within the magnetic stripe on the back of a Visa card. PCI DSS Requirement explicitly prohibits the storage of the full contents of the magnetic stripe once the authorization process is completed.

According to the bulletin, “many merchants and service providers may be unknowingly storing this data because a number of commercially available Point of Sale (POS) payment systems and custom-designed payment applications retain this data by default without any action by the user. Visa regulations and the PCI DSS also prohibit the storage of the Card Verification Value 2 (CVV2) and Personal Identification Numbers (PINs) or PIN blocks.

“The value of full track data to hackers is significant. With little effort, a duplicate card can be created that will appear indistinguishable from the original card during the authorization process. Mass storage of this data by merchants and agents exposes this sensitive information to potential compromise and can make it easy for hackers to commit fraud that is difficult for issuers to detect. CVV2 and PINs are also highly sought after by hackers, and when compromised, can expose the payment system to undue risk.”

This bulletin is among informational data available at www.visa.com/CISP.

Compounding the problem is the number of businesses that are not PCI DSS compliant. “We estimate that less than 10 percent of the merchants use any type of encryption while storing sensitive cardholder data,” said Don Shroeder of Element Payment Systems, Phoenix. “All merchants storing sensitive cardholder data must be PCI DSS compliant.”


Donihue noted that businesses that fail to encrypt customer credit card numbers cannot use ignorance of the PCI DSS as a defense if their customer information is breached.

Several HVAC contractors told The NEWS that they were unaware that this standard even existed. John Levey of Oil Heat Associates, Wantagh, N.Y., consults with contractors and said, “For companies I’ve visited, they typically take poor care of the records. I’ve seen credit card numbers on the computer screens, credit card numbers written on a piece of paper that’s thrown in the trash afterwards, etc.”

“We are not aware of these changes,” said Michael Curtis of Artic Air Inc., Summerville, S.C. “We will be working on compliance right away. I doubt that most businesses know this.”

Chris Colditz of Laco Mechanical Services, Elk Grove Village, Ill., is surprised at how little HVAC contractors know of the “outside world,” but she understands that some may know about the need to comply. However, there is a perception of an associated added expense for compliance.

“Contractors should be proactive,” she said. “But, is there a point where proactive simply isn’t cost effective? I think we are going over the edge of cost effective in response to the huge national questions of privacy.”

Shroeder said that less than 20 percent of businesses are aware of the need to encrypt, but choose not to act.

Sadly, not being proactive isn’t the only reason why HVAC contractors have subjected themselves to stiff fines. The software companies they use for their accounting software must also be compliant.

“It isn’t just the merchant that must be aware of these security procedures, everyone who does business with them must have the same security measures in place,” said Donihue. “They have to make sure that whatever accounting system they are using is encrypted. Merchants need to know if their accounting software keeps a credit card number as a text file or if it encrypts the information. If it doesn’t encrypt, the business is in breach of security. It is as simple as that.

“It is the merchant who will suffer, along with the company that makes the accounting software.”

Some HVAC contractors continue to keep confidential files in unlocked file cabinets or rooms. After hearing about these new security measures, one contractor said he was “locking doors and files that we never locked before.”

Donihue believes that contractors should take added security measures of employee background checks and added, “Limit the number of people who handle secure transactions to one person.”

And he noted that having an “other guy” attitude is very dangerous. “I run into this mentality that this problem could happen to someone else but it can’t happen to me,” he said.

Contractor Andy Sievers of Arco Heating & Air, West Paducah, Ky., believes the time is right to screen the people who handle sensitive information. “We run background checks and drug screens on all field employees,” he said. “We have not implemented a background check policy on any office personnel but will be doing this in the future.”


If an HVAC contractor feels that he or she is not in compliance with the PCI DSS, they should take immediate action to protect themselves, according to Donihue. “They need to immediately implement encryption technology according to the PCI DSS compliance program,” he said. “The other option is to remove the requirements by storing the sensitive data elsewhere (shifting the responsibility to another entity).

“If a business keeps an invoice on file, it must be secured. It cannot contain the CVV number [the three- or four-digit security number on the card] or the entire card number on file.”

Some contractors take security measures, such as Roger Fouche of Schaal Heating & Cooling, Des Moines, Iowa. His company does not store confidential data. “We do shred all information relating to credit cards, and it is only seen by the bookkeeper,” he said.

Brian Baker of CustomVac, Winnipeg, Manitoba, said what he considers confidential data is not kept on file. “All confidential files such as the financing forms in our client files are kept secure in our office,” he said. “Our database is backed up each day and taken off-site with us and as we said the database contains nothing that would be classified as confidential data.”

But are these measures enough to protect a contractor and its customers? One contractor chooses to avoid the problem by not accepting credit cards. “One of the biggest reasons I don’t take credit cards is that I only get one or two requests per year for their use,” said Scott Lawson of Lawson Mechanical Service Co. LLC, Windsor, Mo. “There is not enough demand to justify the overhead costs of maintaining the capability. I do have a backup plan. If the customer desires, they can make a visit to my bank and do a cash advance on their card and the bank will deposit the amount to my account. And the customer gets to pay the card transaction fee.”

But not accepting credit cards is not an option for most HVAC contractors.

In the end, an HVAC contractor can make the choice to encrypt sensitive numbers or trust someone else to do it for them. As Colditz said, “I am wondering if contractors are operating under a false sense of security: ‘My credit card distributor would tell me if I needed to change.’”

Paul Donihue of Advanced Merchant Services will provide a free analysis for HVAC contractors. He can be reached at 866-914-2267 or e-mail to pdonihue@bedrockalliance.com.

Publication date:02/12/2007