News Story from April 1, 2006

News Story From April 1, 2006

Retailers struggle with the card industry’s stringent—and confusing—data protection standardBy Linda Punch

For more than five years, the card industry has been pushing retailers to adopt strict measures to protect customers’ confidential data. Realizing that retailers balked at the time and money spent on meeting the security requirements of the different card companies, the industry adopted a single standard—the Payment Card Industry Data Security Standard. And it gave merchants a deadline for compliance—April 2005 for Visa and June 2005 for MasterCard.

Yet, despite those efforts, a year later the majority of online retailers still haven’t adopted the PCI standard. Only 17% of 231 large merchants have complied with the standard, according to Visa. Another 75% are working toward compliance and 8% have submitted no reports.

Complexity

Visa has no statistics on how many smaller merchants are PCI compliant, but industry observers say the picture there is even worse—most haven’t adopted the standard and some haven’t even heard of it.

Some attribute the lack of compliance to the complexity of the standard—it has 12 rules and 200 detailed sub-requirements governing such practices as use of firewalls and encryption of stored data. It also requires annual security audits to ensure the retailer remains in compliance.

Merchant banks whose retailers aren’t PCI compliant could be fined up to $500,000. Typically, banks pass penalties along to the retailer involved. The merchant also faces loss of its card-acceptance privileges.

Under the standard, retailers fall into four categories, based on transaction volume. Level one is composed of merchants that process 6 million transactions annually while level four merchants process 20,000 or less transactions per year. The data security requirements vary depending upon the level.

“All along the path, there are many confusing points for merchants,” says Ken Leonard, CEO of ScanAlert Inc., a data security company. “They’re not aware of exactly what their responsibility is and exactly what the procedure is to meet the requirements.”

That was the experience of Newegg.com, a computer and consumer electronics retailer, which became PCI-compliant in September 2005. “We were not given pointers, just hundreds of rules and a deadline to meet under penalty of a large fine from Visa and MasterCard,” says Howard Tong, vice president. Tong says Newegg’s principal sources for information on the PCI standard were a security consulting company and payments processor First Data Corp. “We had to handle most of the requirements internally under our own initiative,” he says.

Much of the confusion and difficulty arise from the fact that the PCI standard “reads like an all-encompassing security manual” rather than focusing on the protection of cardholder data, says Avivah Litan, vice president and director of research at Gartner Inc.

Microscopic detail

In addition, the standard goes into “microscopic detail” on many requirements, for example, mandating that users change their passwords every 90 days. “You look at this standard and you just can’t do every single thing,” Litan says. “If it becomes unmanageable, then no one does it.”

Retailers also are unclear about what impact the outsourcing of payment processing has on their PCI compliance, she says. For example, if a merchant outsources 80% of its processing, it theoretically would drop into a lower category. Yet, “merchants are left in the dark as to whether this is the case because they generally cannot get a clear answer from their acquirers,” Litan says.

Indeed, the many layers of the card industry hamper the spread of information to merchants about the PCI standard, Leonard says. Because the card companies don’t have a direct relationship with merchants, they must rely on retailers’ merchant banks to relay information on PCI.

Overwhelmed

“We’ve worked with a lot of banks and the banks are overwhelmed,” he says. “They have this mandate to educate their merchants about the need for security, and they don’t have the staff to do it, they don’t have the expertise in-house to do it, so it ends up being done poorly.”

Many retailers also are unable to implement all the measures dictated by the standard, for example, encrypting stored data, Litan says. Yet the standards don’t specify alternative measures that could be used to protect data, she says.

What’s more, many retailers aren’t even aware the data security standard exists, says Scott Sweren, national practice manager for Fortrex Technologies Inc., a data security company. “If you don’t know they exist, you don’t know to look for information on how to comply,” he says.

Often a retailer first learns of PCI when it seeks out a payment processor or other third-party service provider, Sweren says. “The service provider may come back to the retailer and say ‘Are you certified?’” he says. “That’s when the question comes up. ‘What do you mean am I certified?’”

Retailers also are put off by the expense of implementing the PCI standard, Litan says. A Gartner study estimates that a company with at least 100,000 accounts can spend as much as $16 per customer account to implement PCI.

At Newegg.com and its subsidiaries, “we had numerous employees in multiple departments working around the clock for a significant period of time,” Tong says. “As one of the largest Internet retailers, we’re fortunate to have global resources to handle this type of challenge.”

Newegg also had to put on hold some back-end projects, including its implementation of new site search technology from Endeca Technologies Inc., Tong says. “We offer approximately 60,000 SKUs and implementing the proper tools on our web site to help customers locate products is critical,” he says. “However, we were strained in being required to comply with PCI first.”

Federal and state legislation

But while the costs of complying with PCI may be high, the costs of not complying are even higher, says Eduardo Perez, Visa USA’s vice president of corporate risk and compliance. Bills pending at the state and federal levels would penalize retailers that fail to protect customers’ confidential data, and the Federal Trade Commission recently began fining organizations that have had data compromises. “We’re not the only ones providing an incentive to merchants to comply with the PCI standard,” he says.

In addition, the bad publicity generated by a data breach can harm a retailer’s business, both online and offline.

Perez also objects to the charges that the card associations haven’t done enough to educate merchants. Both Visa and MasterCard have posted the standards and related materials on their web sites. Visa also has done mailings to retailers and conducted seminars about PCI around the country in conjunction with the U.S. Department of Commerce, Perez says.

Merchant education

“We have done quite a bit to educate the merchant community, especially with level one merchants,” Perez says. “We have some work to do with smaller merchants, but even there there’s been a lot of communication to acquirers to help ensure that smaller merchants validate.”

Retailers with questions about PCI compliance should consult their merchant banks, says Jennifer Fischer, Visa U.S.A. compliance specialist. There are also steps retailers can to make the PCI process easier.

“They can simplify what they need to do by reducing the amount of data they store, the duration of the storage, and the number of systems they store the data on,” she says.

Retailers also should store only data that is essential to their business—name, account number or expiration date—and should destroy all obsolete data with cardholder information. “In the vast majority of cases, the merchant really has no additional use for that information,” Perez says.

And merchants that use outside services to process payments or host their web sites should make sure that PCI compliance is part of the contracts. The Visa and MasterCard web sites have lists of compliant service providers.

The card companies also are trying to address retailers’ concerns about the cost of implementing PCI. MasterCard’s site has compiled a list of vendors that will provide merchants with free network vulnerability scans.

The associations also are working with e-commerce platform providers to incorporate data protection measures into their software so that retailers don’t have to add costly security measures after the fact.

Whatever the expense, retailers will have to adopt tough data protection measures if they want to see e-commerce continue to grow, Leonard says.

“Merchants see this as an added cost, an added burden, and that’s the wrong way for them to see it,” Leonard says. “The over-arching point here is that there is a big problem. And the merchants themselves have to clear it up.”

And a data breach can be much more costly, both in reputation and dollars, than setting up a secure site. Litan estimates a retailer with 100,000 accounts could spend at least $90 per account when data is compromised. Those costs could escalate if legislation mandating fines of up to $11,000 per exposed account is approved, she says. “Protecting your data is well worth the investment, with or without PCI compliance,” Litan says.

Click Here for the Internet Retailer Guide to Providers of Global Solutions

http://www.internetretailer.com/article.asp?id=18112