Compliance Management, Patch/Configuration Management, Vulnerability Management

Visa PCI deadline looms for tier-one merchants

Merchants seem dedicated to reaching Payment Card Industry (PCI) compliance, but a number of significant hurdles will prevent all level-one merchants from reaching Sunday's Visa-imposed deadline, PCI experts said today.

Sunday is the day when the approximately 330 retailers who qualify as level-one merchants, meaning they process more than six million credit card transactions each year, must meet the 12-step PCI data security standard. If not, they face higher processor fees and fines of up to $25,000 per month.

As of July, close to 40 percent of level-one merchants were compliant, according to Visa. The company did not release its latest figures today and said it would not know how many merchants met Sunday's deadline until next week.

"I think the major holdup is all the tier-ones are biggies," Steve Schlarman, chief compliance strategist at Brabeion Software, told SCMagazineUS.com. "It's the big guys who have the substantial infrastructures and it's a lot to get your arms around."

But Bob Russo, general manager of the PCI Security Standards Council, responsible for driving awareness and adoption of the standard, said deadlines have already passed for all merchant levels to validate compliance and many seem anxious to follow the new rules.

"What you're seeing now is different attempts by the brands to light fires under people," he told SCMagazineUS.com today. "The deadlines have already passed. You need to be compliant now. If you get hammered [by a breach] and you're found to not be in compliance, you're in trouble."

But the road to compliance is an arduous one, PCI solutions providers said today. Hold-ups include the data protection and testing requirements, said David Taylor, vice president of data security strategies at Protegrity and president of the 50 member-plus PCI Security Vendor Alliance.

Companies are having difficulty locating sensitive data and deploying encryption solutions, he told SCMagazineUS.com today.

"There's lots of legacy data out there," Taylor said.

When it comes to testing, automated tools are making it easy to locate vulnerabilities, but merchants then face a complex task to resolve problems, he said.

Another barrier to compliance comes from assessors, who must conduct on-site audits of level-one merchants each year.

"Some assessors are very no-nonsense and strict when it comes to compliance," Taylor said. "If you get an assessor who is strict, it can become difficult to [attain compliance]."

Meanwhile, another onerous challenge that awaits companies is transitioning from legacy systems to PCI-compliant software and hardware.

"If you think about fast food or gas stations, a lot of them are still using old DOS-based systems where software is still storing full credit card numbers," said Matt Clark, director of compliance reporting at Voyence, provider of automated change and configuration management software that checks on network devices.

"It takes a long time to get in there and it's costly to rip out those systems and put in new compliant software," he said.

Whether Visa begins issuing fines on Monday morning should be the last concern on merchants' minds, Russo said.

"If you get hammered by somebody, what does it do to your brand?" he said. "What does it do to your customer base? That's gotta be [much] more costly than whatever a fine is going to levy."

And not all merchants are looking to Sunday's deadline – level-two merchants face a Dec. 31 deadline – as the end of the road.

"A lot of the customers we're talking to are worried about sustaining compliance rather than fulfilling the requirements," said Tony Thompson, director of communications for change control software provider Solidcore. "They want to be able to improve their other IT operations and make their spend in this area valuable."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.