Retailers fume over PCI security rules

Claim credit card firms shift burden to them

Several retailers this week bristled at having to comply with the Payment Card Industry's Data Security Standard, complaining that they carry an unfair burden in securing credit card data.

In interviews and speeches at the annual ERIexchange retail event in San Diego, executives also complained that implementing the standards are costly and could alienate customers.

The companies face heavy fines and increased transaction rates for noncompliance with the PCI standards.

Steve Methvin, director of store systems at Bi-Lo, a grocery chain of about 230 stores in the southeastern U.S., called on the credit card companies themselves to do more to make cards more secure -- such as adding a PIN.

He said the credit card companies decline to take such steps to avoid complaints from customers.

"The responsibility for a safe environment is not mutual," said Methvin, who sat on a panel at the show. "It seems like we're being forced to provide an easy experience for Visa and MasterCard at our own expense. It's frustrating. It seems like we're investing money in areas" that customers don't care about.

Bi-Lo has so far met all the deadlines for compliance with the rules, he noted.

The standards were created by five major credit card companies -- Visa International, MasterCard Worldwide, American Express Co., Discover Financial Services and Tokyo-based JCB -- to protect credit card data before, during and after transactions, PCI officials said.

Ongoing development of the standard is now managed by the PCI Security Standards Council, which was set up by the credit card companies last September.

The standard includes a dozen security controls, including encryption, transaction logging and monitoring, along with authentication and access controls.

The standard went into effect in June 2005.

Robert Fort, director of IT at Virgin Entertainment Group in Los Angeles, said that while the controls imposed by PCI are sound, the organization should have worked more closely with the retail community to implement them.

"Much of the PCI standard [includes] good, solid network and security policies," he said, though he added that "some of it is over the top" and can be confusing.

He also contended that the costs of meeting the requirements do nothing to boost a retail company's bottom line. "There's no direct return on investment," he said. "It will not help us sell CDs."

The cost of compliance will vary depending on a retailer's particular network, its security procedures and its IT infrastructure, he said.

Glenn Kriczky, vice president of IS at Associated Wholesalers, said that convincing store managers of the benefits of the PCI rules can be difficult. "It's the customer we have to be concerned about," he said.

The food cooperative provides IT services to independent retail stores. "It's tough to convince [retail store owners that PCI compliance] is important," he said. "It's only important when something happens."

Bob Russo, general manager of Wakefield, Mass-based PCI council, said the standard combines best practices from each of the five founding companies and outlines them in clear detail. "It tells them exactly what they need to do to be secure," he said.

Russo also noted that just last month, 14 large organizations, including major retailers like Wal-Mart Stores and U.K.-based Tesco Stores were elected to be the first members of an advisory board to the PCI.

The board members will be responsible for collecting industrywide feedback on the data security standard and influencing changes to it, officials said.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about American Express AustraliaMastercardTescoVisaVisa InternationalWakefieldWal-Mart

Show Comments