Teaching Case: Do You Take Credit Cards? Security and Compliance for the Credit Card Payment Industry

1. INTRODUCTION CIOs participating in Gartner's annual survey ranked security technologies as a top-ten technology priority nearly every year since 2005 (Gartner, 2005; Gartner, 2006; Gartner, 2007; Gartner, 2008; Gartner, 2009; Gartner, 2010; Gartner, 2012; Gartner, 2013). What's more, considering business priorities, improving business continuity, risk and security was a top-ten priority in 2011 (Gartner, 2011) and security breaches and disruptions were top-ten business priorities in 2005 and 2006 (Gartner, 2005; Gartner, 2006). No doubt, some of their security concerns include credit card use. Recently, Global Payments, a credit card payment processor, reported the concern that up to 1.5 million card numbers had been accessed by hackers (Pepitone, 2012). Despite data breaches, consumers are not dissuaded from acquiring and using credit cards. Estimates place the number of credit cards in the United States (U.S.) at 609 million and the volume of credit card purchases in 2011 at $2.1 trillion. (2012 US Credit Cards Usage Statistics, n.d.). It may come as a surprise to consumers, and to students, however, that many retailers don't accept credit cards. In fact, a survey of small businesses, defined as those with fewer than 250 employees, showed that under half accept credit cards (Dennis & William, 2008). One reason businesses don't accept credit cards may involve the perceptions that complying with credit card security requirements is both complicated and costly. There is no doubt that students in information systems classes need to have a firm understanding of security requirements faced by businesses, large and small, and the negative consequences of business noncompliance. This knowledge, according to the 2009 White House Cyberspace Policy Review, can "help organizations ... make smart choices as they manage risk" (p.13). Students already understand the subject of credit card purchases through personal experiences and the PCI DSS standard makes for an accessible class activity involving data security. Simultaneously, the teaching case provides an opportunity to better understand PCI DSS and ways by which small businesses can meet those security requirements. 2. BLUE MOUNTAIN JAMS SCENARIO "Do you take credit cards?" the customer asked. That was a question the owners of Blue Mountain Jams were being asked over and over. Mary smiled, "Not yet but we are working on it. Hopefully, staring next month, we will." Once again, Mary wondered how much business they lost because they did not take credit cards. With the business growing, more and more people ask about paying by credit cards. BMJ is losing customers by not having that payment option. Located in the Blue Ridge Mountains of North Carolina, BMJ recording studio and retail store is the life ambition of the owners, John and Mary. Graduates of a local university with degrees in music and business, John and Mary have played the bluegrass scene in Western North Carolina and especially Asheville, since their high school years. The success of the company is being inhibited by the need for customers to pay with cash or check. "John, that's another customer asking about credit cards," Mary said once the shop emptied out. "We have got to deal with this now." John nodded in agreement. The thought of taking on another major project for the business was intimidating. Starting the studio was an expensive and exhausting enterprise; acting as both musicians and business owners is demanding. John and Mary struggled to raise the funds to get the venture started and they knew that the step to credit cards was necessary to take the business to the next level. There is no question of BMJ's success; John and Mary's music knowledge and contacts in the local bluegrass music scene allows for the development of an extensive repertoire of country and bluegrass music. As well, BMJ has a positive reputation for preserving the traditional music of the mountains. …