Payment card industry forcing retailers' hands
By Sandra Gittlen
Experts say now is the time to comply with PCI-DSS before facing down lawmakers.
In Summary:
| • | Costs of PCI compliance may seem steep, but they're minimal compared to potential liability should a breach expose customer data. |
| • | State legislatures are adopting parts of the PCI DSS into new laws. |
| • | Small and medium size retailers should contractually demand their service and software providers maintain PCI DSS compliance. |
Midsize merchants are feeling the heat as the payment card industry and lawmakers seek to put teeth into mandates aimed at protecting customer data. While some retailers worry the mandates are too onerous, experts say they are less burdensome than suffering a catastrophic data breach.
The Payment Card Industry Data Security Standard (PCI DSS), which was introduced in 2005 and updated in 2006 by industry heavyweights such as American Express, Discover, MasterCard, and Visa, calls for retailers of all sizes to ensure their transaction and data storage systems are secure. If they fail to comply and customer information is compromised, retailers face fines from the credit card companies, and may also be liable to banks and other financial institutions for customer notification and card reissuing costs.
"The payment card industry as a whole can levy fines, and they do. They can even prohibit a business from accepting credit cards," says Chris Farrow, director of security vendor Configuresoft's Center for Policy and Compliance and a board member of the PCI Security Vendor Alliance, a council representing vendors and customers.
Last month, Minnesota Gov. Tim Pawlenty signed the Plastic Card Security Act into law, which includes the PCI DSS rule that retailers and other merchants cannot store sensitive credit and debit card data, such as verification codes, on their systems. The California State Assembly is also considering a bill introduced in June that includes PCI DSS language. Experts say this heightened pressure means that retailers have to quickly become familiar with PCI DSS requirements and start enforcing them in-house and through their outsourcers and application vendors.
"What PCI DSS is doing is making sure that merchants and their service providers are protecting cardholder data. It's not an outrageous goal," says John Pescatore, vice president and fellow at the Gartner research firm. He says that although the PCI assessment process is less demanding for Level 3 merchants, which Visa defines as those that process between a million and 20,000 transactions per year, and Level 4 merchants, those that process fewer than 20,000 transactions per year, the cost of compliance is still significant. Level 1 merchants are those that process more than 6 million transactions per year.
Assessment cost at least US$45,000
Version 1.1 of PCI DSS requires that Level 3 and Level 4 merchants fill out an annual self-assessment questionnaire and have quarterly network vulnerability scans performed by an approved vendor. Pescatore says the average cost for smaller companies to comply, including hiring a consultant and making sure the vulnerability assessment is done correctly, is at least US$45,000.
However, he says this is minimal compared to the cost of a data breach. For instance, if a midsize company exposes data on 100,000 accounts, the impact cost per account is $100 to $200. "You could end up spending $10 million in recovery costs, such as notifying customers and reissuing cards," he says.
According to PCI DSS, companies are expected to follow 12 requirements to guard against such data theft. They include guidelines for using firewalls, message encryption, access controls, and antivirus software. For instance, the standard says that companies must assign a unique ID to each person with computer access and cannot use vendor-supplied defaults for system passwords. While these practices might be commonplace in larger merchant operations, they are sorely lacking in smaller ones, Farrow says.
"PCI DSS has a long list of technology and security strategies that small and medium businesses cannot afford and have no expertise in," he says.
Version 1.1 of the standard calls on merchants not only to make sure that their own networks are compliant but that their payment gateways and all other service providers are adhering to the standard as well. Michael Gavin, security strategist at Security Innovation Inc. in Wilmington, Massachusetts, says small to midsize retailers "should be demanding that their application and service providers are PCI DSS compliant and will stay compliant by writing that into contracts."
Christopher McLendon, industry technology strategist for Microsoft's U.S. Retail and Hospitality Industry Group, says that while Microsoft does not work directly with customers to assess and verify their PCI DSS compliance, the company does work with third parties such as compliance assessors to review best practices when deploying Microsoft platforms and technologies. Microsoft also offers customers education through industry-sponsored events that focus on security topics, such as the annual CSO Summit in Redmond, Washington.
Microsoft helps small to midsize companies comply with PCI DSS through its operating systems, Microsoft Dynamics Retail Management System, and other platform technology and service offerings, according to McLendon. Customers also can leverage Microsoft's experience in technical compliance management by taking advantage of security offerings available through Microsoft Consulting and Premier Services.
McLendon says that the overall intent of PCI DSS is good for the industry and provides
merchants with a common set of guidelines for protecting electronic payment information. "PCI DSS gives consumers the confidence they need to know that merchants accepting electronic payments are doing so in a verified, secure, and consistent fashion," he says.
Sandra Gittlen is a regular contributor to Momentum, the midsize business center newsletter.
