By Vicki Tedeschi
After a massive security breach two years ago, retailing giant TJX Cos. Inc. had to confess the problem to 45.7 million customers and face fines from Visa Inc. and MasterCard Worldwide for failing to handle data properly.
Not many merchants have enough customers to err on the scale of that retailing giant, but data security remains crucial even at the smallest store.
The TJX experience can play out on a scaled-down stage for any merchant that accepts credit and debit card information, says Greg Beasley, president of National Payment Systems LLC, a Dublin, Ohio-based independent sales organization.
And the potential for fraud does not appear likely to abate any time soon. "It's a growing area of concern," says Beasley.
Large merchants typically have been upgrading and updating their systems to ensure compliance with data-security procedures set by the Payment Card Industry Security Standards Council to ward off data breaches, says Patrick Raycroft, partner at Chicago-based W. Capra Consulting Group, advisors for retail technology, retail petroleum and quick-service restaurants.
Retailers with fewer stores may prove slower to get started with PCI.
"Smaller merchants haven't taken the time to figure it out, but they face the same risk as the big merchants," Raycroft says. "If there was a breach, there would still be an impact."
He urges all merchants to assess their risk and take a stand. "You don't want your name in the headlines," he warns.
Larger organizations usually understand their compliance requirements, says Dan Glennon, senior vice president of marketing and strategy for Cybera Inc., a Franklin, Tenn.-based network and security provider for retailers and restaurants.
"Smaller merchants who may own a couple gas stations or one store are typically less well-informed on PCI," Glennon says.
Size aside, he adds, every retailer should be concerned. "Every business has the same amount of risk in terms of customers' information being breached or stolen," Glennon says.
The card brands scrutinize larger organizations more closely, he says.
At the very least, merchants should follow PCI guidelines.
The procedures cover storing and handling customer information, including credit card numbers.
Education First
"The first thing we do is directly educate merchants on cardholder data security and PCI," says Mike Williams, vice president of merchant services at Tallahassee, Fla.-based Capital City Bank.
The bank works directly with the more than 1,900 merchants in its portfolio. While Visa and MasterCard offer PCI training, Williams says Capital City has developed its own internal policy and procedures.
"We hold ourselves accountable for educating our customers at the time of the merchant sale," Williams says.
At National City Payments, agents attend a mandatory class covering merchant requirements and security compliance, Beasley says.
"We don't expect our salespeople to go out and be experts, but we do want to educate our merchants," he says. "We consider salespeople the ISO's front line in educating merchants."
Capital City requires its sales agents to obtain the merchant's signature verifying that the agent discussed data-security standards.
Agents also provide booklets explaining PCI requirements and policies to merchants, he adds.
The requirements are divided by tiers as set by Visa and MasterCard.
Tiers are based on dollar volume of credit cards that are processed, says John Hervey, executive director of the Alexandria, Va.-based Petroleum Convenience Alliance for Technology Standards. "The higher your volume, the more stringent the requirements are regarding your compliance," Hervey says.
A retailer that averages 100 transactions per day at $1,000, however, may face the same risk as a retailer that averages 1,000 transactions daily at $10 per transaction, Glennon says.
The Basics
At the very least, merchants should know what tier they fall under and what the PCI security requirements are for that tier, Beasley says. This often can be confusing to merchants, he adds.
"It's very confusing, but it's also dangerous. It can prove costly to the merchant if he's not in compliance," Beasley says.
Failure to comply can trigger monthly fines and, in some cases, the card brand may reassign a merchant to another tier.
"That's why merchants need to understand what they need to do to be in compliance," Beasley adds.
Some merchants believe the acquirers should shoulder the responsibility to ensure security, Hervey says.
"That's not the case at all," he says. "It goes back to educating retailers about what they need to do."
Card issuers hold retailers responsible for all problems, Glennon says. "It's the responsibility of the merchant to make certain that the actions they take to achieve compliance don't transfer risk," he says.
Merchants should monitor PCI-requirements, Raycroft says.
"The compliance requirements are evolving all the time," Raycroft says. "They change every three to six months. Card associations are becoming more strict over time."
