It's not time for tough love yet. But card associations, banks and processors are in the heart-to-heart phase of dialogue with their card-accepting merchant clients about efforts to comply with the Payment Card Industry's digital security standard.
Under pressure from card associations and a new PCI standards council, financial firms are trying to get retailers up to speed or in touch with specialists that will correct, if necessary, the way in-store credit -card information is handled. The message is especially urgent for small businesses that lack experience with encryption or data-access privileges, or who have no idea of the amount of improperly stored data resting in terminals or PCs.
While no new draconian sanctions or enforcement plans are on the table, retailers are being told in no uncertain terms that tolerance of sloppy standards is evaporating- and that data-breach liability, civil and otherwise, should be and is starting to drift their way.
"They don't have to understand encryption; they don't have to understand hashing; and they don't have to understand truncation," says Bob Russo, general manager of the PCI Security Standards Council, a body of issuers, card associations, retailers and other payments firms setting up the certification processes for PCI compliance. "But they do have to understand if I do have somebody's credit card number, I [cannot] pass it around in the clear."
Due dates for compliance have already come and gone, but industry surveys and studies show that barely half of Tier 1 merchants-those with six million-plus transactions a year-are compliant with the dozen PCI standards. A recent report on PCI DSS from TowerGroup notes that only 40 percent of Level 1 merchants are compliant.
But it's even worse for small companies-only 19 percent of Level 4 merchants (those with fewer than 20,000 processed card transactions a year) reported being in line with PCI, according to a survey by EMC's RSA Security division. "The two biggest pain points are around encrypting the data ...and managing the encryption keys," says Dave Howell, RSA senior manager of PCI Solutions.
TowerGroup bank card senior analyst Brian Riley's best guess is that it will take at least two years to build a "totally secure" environment for card-data protection in the small to medium-sized business space.
The PCI compliance checklist includes determining access control, maintaining an information-security policy, and conducting regular tests of systems and network firewalls. Under compliance guidelines, Level 1 merchants must have onsite security-assessment reviews and network-security scans by approved third-party firms. Merchants with more than 20,000 transactions a year are required to hire qualified vendors to conduct network-security checks.
Riley says banks, both acquiring and issuing, are stepping in with products to help clients. US Bancorp, NOVA Information Systems and Chase Paymentech, for example, are offering compliance-assurance programs for Level 4 merchants. "What U.S. Bank is doing is pretty common in the industry," says Riley. "First Data and TSYS are doing that, too." TowerGroup says 41 percent of all data breaches in 2006 (totaling more than 150,000 reported cases) were the responsibility of retailers. The average cost of a data breach, according to a new report from the General Accounting Office, is about $1.4 million each, including the cost of notification letters, call-center operations, courtesy offers and legal fees.
Riley expects card companies to go easy on smaller merchants, in terms of compliance enforcement, for now. "It will be kind of like not having your seat belt buckled," he says.
