Merchants need to better protect consumer card data - and fast. But with a summer deadline looming to comply with card industry security standards, the work to get them up to speed is going to be taxing on smaller banks and merchant acquirers.
Many merchants must upgrade their applications systems to implement the Payment Card Industry Digital Security Standard (PCI-DSS), a card association regulation mandating the proper handling of consumer card data.
"It's a hot topic for acquirers," says T.K. Cheung, vice president of global quality and security for terminal manufacturer Hypercom Corp. "You're looking at thousands of devices that [may] be under a sunset date to meet these security requirements."
Though card-security standards have existed for years, many merchants were unaware of them. Others did not want to spend the money to meet the standards.
Industry observers have long complained that the majority of smaller merchants still are not PCI compliant.
A Verizon Business survey released in April 2009 found that among firms that have had data breaches, 81 percent were noncompliant with PCI prior to the breach.
"You have to presume that by July 1, probably 20 percent of retailers are still not going to be compliant," says Paul Martaus, a leading payments industry consultant, adding that many of the terminals in use today are too old to manage the PCI-compliant applications.
Also by the July 1 deadline, merchants must ensure that cardholder PINs are encrypted from the point of the transaction to the issuer.
But Jeff Wakefield, vice president and general manager, global security solutions for payment terminal firm VeriFone, says he doesn't expect the card associations to begin levying fines for noncompliance until 2012.
Aaron McPherson, a research analyst with IDC Financial Insights, says the compliance deadline has ramped up pressure on merchants to move forward, not because of possible fines from the card networks, "but because of the liability for breaches." He points to rising interest in merchant-based security tools like tokenization, where businesses replace a consumer's card number with an alternative reference number or digital token to use in the transmission or storage of payment data. "Tokenization wouldn't be any easier for them to implement" for PCI compliance, says McPherson, "but we may start seeing some outsourced offerings where an acquirer takes over all responsibility for security and processing; in essence, placing their own hardware at the POS and controlling all the processing from the swipe to the card network connection."
Terminal manufacturers have been working with merchant acquirers and independent service organizations to make it easier for merchants to become compliant. In October 2009, Hypercom announced a new unit to promote the use of encryption technology within the payments industry. Around the same time, processor Chase Paymentech LLC partnered with VeriFone so that it could offer encryption products to its merchant clients.
Michelle Wagner, vice president for global marketing at Elavon, the merchant acquiring subsidiary of U.S. Bancorp, says her company is focused primarily on educating merchants about PCI-DSS these days. Elavon already handles merchant acquiring for more than 1,500 banking companies, including Regions Financial Corp. and SunTrust Banks.
"For our [bank partners], it gets rid of the risk and the responsibility, but they still have those relationships and get a portion of the revenue," Wagner says. "We are Oz behind the curtain."
As the deadline approaches, Martaus says, "everyone is getting a feeling of angst." Though the bigger bank-owned merchant acquirers, like Elavon and Chase Paymentech, are fully committed to complying, "it's still a huge, huge, huge task to get this done."