A full year after the deadline, a majority of large merchants face potential fines because they still aren't in compliance with a data security standard created by major credit card companies including American Express, Discover, MasterCard and Visa.
The Payment Card Industry (PCI) standard lays out requirements for securing networks, protecting cardholder data and auditing security systems regularly. The PCI rules, which went into effect June 30, 2005, prescribe enforcement policies and penalties for noncompliance, depending on the volume of credit card transactions handled.
According to the standard, noncompliant merchants and payment processors can face as much as US$500,000 in fines per incident if cardholder data is compromised. In addition, the card associations can revoke noncomplying companies' credit card processing privileges.
Despite the threat of penalties, only 22 percent of the largest merchants are PCI compliant today. Visa expects that number to climb dramatically in the second half of this year, says Eduardo Perez, vice president of corporate risk and compliance at Visa USA.
In addition to the 22 percent of merchants that are compliant, 72 percent of the largest merchants -- those that handle more than 6 million Visa transactions per year -- have conducted an initial PCI report, identified their deficiencies and have a remediation plan in place to achieve full compliance. By year-end, Visa estimates two-thirds of the top-tier retailers will be in full compliance. "We've made a lot of progress -- and we have a lot of work ahead of us," Perez says.
A lack of communication is partly to blame for the delays in PCI adoption, says Avivah Litan, a vice president at Gartner. Some merchants still aren't aware of the PCI standard, and many that know about it are unclear about its significance. "Every merchant wants to know how seriously they need to take this," she says.
To bolster compliance, credit card organizations have been making an effort to educate businesses about PCI. For example, Visa and the U.S. Chamber of Commerce last month launched a 12-city tour designed to help small merchants use the standard to improve data security and reduce fraud.
The PCI standard encompasses a range of technologies, including encryption, access control, and activity monitoring and logging devices. There also are procedural requirements, such as creating and documenting security policies. Continuing compliance requires annual or quarterly audits by a PCI-certified assessor.
By most accounts, database encryption is the most difficult technical component to implement. "The encryption requirements have always been the main stumbling block -- and for good reason" Litan says. "Just about every client I talk to that has started an encryption project can't get very far with it, even though they want to. It's a multiyear applicationrewrite proposition."
Encrypting card data also is expensive. Gartner estimates a company with 100,000 customer accounts can spend US$6 per account to roll out data encryption appliances. Adding host-based intrusion-prevention software and a strong rotation of security audits can bring the tally to $16 per customer account.
Still, the cost to protect customer data is just a fraction of the cost of a data breach, Litan says. Companies will spend at least US$90 per customer account if data is compromised or exposed during a breach, according to Gartner.
The firm based its calculations on a real-world incident: After exposing 145,000 customer accounts to an illegitimate source, data broker ChoicePoint last year reported US$11.4 million in related charges. Factoring in the cost of subsequent system and process modifications, Gartner estimates the cost to ChoicePoint at about US$90 per exposed account.
Armed with numbers like these and the PCI mandate, IT staff can make a strong case for increased security funds, Litan says. "This is giving the security department a good reason to ask for more budget," she says.
Jen Heil, vice president of technology at MonsterCommerce in St. Louis, agrees. MonsterCommerce deployed encryption hardware from nCipher as part of a project to retool its database structure to allow for more segregation and better protection of credit card information. At the same time, IT staff at the hosted e-commerce provider used PCI as the impetus to document its existing security policies and processes better -- something Heil had wanted to do but had never been able to make a priority. "PCI gave us an excellent means to focus on it and put some top resources on it," she says.
The credit card associations have imposed very few fines for PCI noncompliance, Visa's Perez says. That may be changing.
The credit card companies have indicated they intend to get tougher on laggards, starting with those that store a copy of the data contained in a card's magnetic stripe after a transaction is authorized (which PCI prohibits). "They know who's storing it, what software packages are keeping it, and they're really going after that," Litan says.
For some, the anticipated emphasis on magnetic-stripe data is a welcome sign that PCI creators are going to provide guidance on what aspects of the standard are high priority. The way the standard reads today, all provisions are treated equally, Litan says. She expects PCI's creators may address some prioritization issues in an updated version of the standard, which could be completed by the end of the summer or this fall.
The upgraded standard also is expected to contain new provisions for conducting software code reviews, identifying all outside parties involved in payment transactions and ensuring merchant data in hosted environments is adequately partitioned.
Until the standard is revised and merchants get the PCI guidance they need, it doesn't make sense for the credit card associations to start doling out fines, Litan says. "If they start levying big fines without improving the standard, then it will become an unfair situation."
At the same time, if PCI's enforcers stay lenient for too long, they're going to lose credibility with the merchants. "If everyone thinks they're not taking this seriously, then no one is going to pay attention," Litan says.