WASHINGTON — The chief information officer for the National Retail Federation here has taken a highly critical view of the data security standard established by the credit card industry to safeguard consumer data, calling it “convoluted,” as well as “complex and hard to manage.”
In a telephone media briefing held March 9 on “The Real Cost of Data Security,” Dave Hogan, NRF's senior vice president and CIO, said retailers have been having considerable difficulty complying with the payment card industry data security standard (PCI DSS).
The standard was established in 2005 by the major card associations, including Visa, MasterCard and American Express, as a uniform approach that combined the security measures developed by each association individually. It is now managed by the PCI Security Standards Council, Wakefield, Mass., which the associations created last September.
The PCC DSS comprises 12 steps that retailers are expected to follow in order to securely handle and protect credit card data, such as building and maintaining a secure network and maintaining a vulnerability management program. In the past few months, retailers such as TJX and Stop & Shop have been involved in credit security breaches, the former involving back-end systems, the latter involving tampering with PIN pads at the POS.
According to Visa USA, San Francisco, 36% of level 1 retailers, which process more than 6 million card transactions annually, comply with PCI DSS. The compliance rate for level 2 retailers, which process between 1 million and 6 million annual card transactions, is 15%.
“Retailers have been slow to adopt PCI, but not due to a lack of trying,” said Hogan. “It's almost impossible to get direction [from the associations].”
Visa imposes fines for noncompliance on a retailer's bank, which can pass them on to the retailer. Under the latest Visa rules, banks that fail to get level 1 merchants to comply by Sept. 30 — or level 2 merchants to comply by year's end — risk fines of between $5,000 and $25,000 per month per retailer. Last year, Visa levied $4.6 million in PCI-related fines.
Even a retailer that is 100% compliant can be liable for losses in the event of a security breach, Hogan said, criticizing the “all-or-nothing” approach. “There's no safe harbor,” he said. Small banks are now pushing for legislation in states like Massachusetts, Connecticut and Rhode Island that would put even more of the responsibility for the cost of breaches on retailers.
Hogan said one of the primary challenges for retailers was receiving timely feedback from the card associations on whether they are in compliance with the standard. “Numerous retailers call me to see if NRF can help get answers on their status,” said Hogan. “They put in a request, and it's six months or longer before they get answers back.” In the meantime, he added, retailers waiting for answers may assume they are in compliance, but later find out they are not.
In a follow-up call last week with SN, Hogan said that although the card associations have unified behind the PCI Security Standards Council, retailers still need to check their PCI compliance status with each association whose cards are being processed at their stores.
Hogan said one reason for the associations' slow response time is that they have not invested in sufficient resources to support PCI. “We've got thousands of retailers asking questions, and only a handful of people answering them.”
One of the areas of confusion in the standard, noted Hogan, concerns wireless networks. Retailers initially invested in the Wired Equivalent Privacy (WEP) wireless standard, only to find out that PCI was going in a different direction, namely Wi-Fi Protected Access 2 (WPA2). “Guidelines can change on a whim,” he said, while deadlines for compliance remain the same.
Responding to Hogan's criticisms, Seana Pitt, executive chair, PCI Security Standards Council, said that while Hogan's concerns were valid, they are now “dated” with the formation of the council. “We have started to address these concerns under the council's leadership and are looking for industry organizations, including NRF, to join us so we can make the standard more effective. We are trying to get confusion and lack of responsiveness out of the marketplace.”
Pitt said the council has set up a technical working group that can answer questions retailers have on interpreting the PCI standard. “For easy questions, it would take about five days to respond,” she said. “For more challenging questions, it would take a little more time.” The council, she added, speaks for all of the five major credit card associations.
It is still up to the individual card associations to certify a retailer's compliance with the PCI standard, something that is outside the scope of the council, Pitt said.
NRF has been working with the card associations on improving PCI standards, and the associations are taking its concerns “under advisement,” said Hogan. He does credit the associations with at least unifying their disparate credit security standards under the PCI banner, a step NRF encouraged them to take at an industry meeting in 2003.