To meet a June 30 deadline, retailers need to assess whether they comply with a new security standard set by the credit card associations, though not all merchants are convinced the fines for noncompliance are justified.
Fines set by the associations for not complying with the new standard, called the Payment Card Industry (PCI) Data Security Standard, will run as high as $500,000. The fines are levied on a retailer's merchant bank, though the bank would likely pass them on to the retailer.
The PCI standard, designed to quell consumer concerns about the rise of identity theft, was jointly developed by MasterCard and Visa and endorsed by American Express, Discover, JCB and Diners Club.
For Hy-Vee, West Des Moines, Iowa, most of the changes required for compliance to the standard only involved documentation of security controls rather than changes to systems, according to John Briggs, senior vice president, chief financial officer and treasurer, Hy-Vee, and chairman of Food Marketing Institute's electronic payment systems committee. Still, his reaction to the standard is mixed.
"I think it's a good idea that there aren't different [security] requirements" for different associations, said Briggs, "but it would have been nice to have had some [retailer] input in the process. We have a long-established relationship with the [credit card associoations] and then we're notified that we're expected to meet their expectations and they decided to establish a punitive penalty right along with it."
The penalty is especially troubling to Briggs since the credit card associations have the final say. "We think that we're compliant, but our compliance is ultimately for [credit card associations] to decide," he said. "We feel that there is enough subjectivity that it's hard to know if you're complaint."
Joy Nicholas, principal, Cascade Retail Technologies, Potomac Falls, Va., observed that the standards are not complicated.
But they're very time consuming and require auditing processes that can be very expensive," she said. "I would think the majority of big retailers would have most of the [security] procedures in place, but the medium-to-small retailers, as well as wholesalers, may not."
The PCI standard is comprised of 12 basic actions (see chart, on this page) designed around building and maintaining a secure network, regularly monitoring and testing the network, protecting cardholder data, maintaining a vulnerability management program, implementing access control measures, and maintaining an information security policy.
Retail compliance requirements vary by sales volume and wether a company has experienced a security lapse in the past. Validation takes the form of some combination of on-site audits by an independent security assessor, quartely network scans by a PCI-approved scan vendor, and self-assessments.
"The retailer can go through one audit and self-assessment and satisfy the requirements" for multiple credit card associations, said John Verdeschi, vice-president, advanced payments, MasterCard. "We've created one unified vision for the industy of how data should be secured."
Retailers must submit information that validates their compliance to their merchand bank for banks, Fines for retailer noncompliance would be passed from the credit card association the the merchant bank, which could pass it on to the retailer.
It is the responsibility of the member bank to submit validation reports to each of the credit card associations to confirm retailer compliance. Compliance, not the submission of validation results, is required by June 30.
Confusion surrounding the standard has been a common industry complaint.
"A current frustration is the fact that bank processors are communicating [compliance] information to retailers," said Bill Greer, spokesman for Washington-based FMI. He suggests that credit card associations communicate directly with retailers.
"In some cases a retailer may not know if they have to comply with a particular [sales-volume-based] requirement. They get information from one merchant bank that suggests they do and from another that suggests they don't," he said. "It makes it extremely difficult to figure out what's expected of them."
Since June 2001, Visa has mandated retailer compliance with its Cardholder Information Security Program (CISP), while MasterCard developed a Site Data Protection (SDP) program in 2003. These programs have been aligned with the PCI standard.
According to Verdeschi, Master-Card's enforcement policy proactively penalizes noncompliant companies rather than imposing a fine after a security breach has occured. MasterCard declined to comment on its fine structure. Visa's fines runs as hig has $500,000.