By statistical standards, the Payment Card Industry Data Security Standard, which recently wrapped up its first full year as the merchant benchmark for protecting credit card numbers, has been a rousing success.
Adoption rates have never been higher. Visa recently reported that almost two-thirds of the nation's largest merchants have reached compliance, up from 36 percent one year ago. Arguably, the bigger and better news is that 99 percent of level-one and level-two merchants have confirmed that they are not storing prohibited data, such as CVV2 security codes (a three- or four-digit value printed on the card or signature strip) and PIN numbers. Payment card officials say this type of information provides the most effective way for criminals to propagate ID theft.
Bob Russo, general manager of the PCI Security Standards Council, which promotes the standard, says that while the road toward compliance has been bumpy for some, merchants, particularly the largest 330 retailers, are willing and eager.
“The numbers are bearing out,” he says. “We're making a difference. There's no crying anymore saying, ‘Why do I have to do this?' They're now saying, ‘How do I do this?'”
But the picture is not all rosy. Brewing under the surface is a growing tension among the parties involved in securing credit card data. What has emerged in recent months is a conflict between merchants and banks over who should be responsible — not just for costs related to fraud and card reissuing in light of a breach, but also for protecting the data.
This discord got a boost following Visa's Sept. 30, 2007 deadline for level-one merchants to be compliant. Around the same time, the payment brand leader announced it would begin fining non-compliant companies $25,000 per month.
In the past, Visa's penalties were levied against businesses that experienced breaches. “It's these harder lines in the sand that have finally gotten everyone's attention,” says Mike Herman, chief compliance officer at Chase Paymentech, the world's largest merchant-acquiring bank.
Two days after the Visa deadline passed, David Hogan, chief information officer of the National Retail Federation, the retail industry's largest lobby representing some 1.6 million stores, wrote a letter to Russo and the PCI Council. Hogan contended that if retailers were not obliged to store card data for business purposes, such as chargebacks, there would be no incentive for hackers to attack. Too, merchants would thereby benefit by saving on compliance costs.
“[Retailer] frustration is, ‘Why am I spending this money? Why am I carrying the risk for something I don't want to store in the first place?'” Hogan says.
Ten days later, Visa responded. Eduardo Perez, Visa's vice president of payment system risk and compliance, pointed out that the payment company does not require merchants to store a cardholder's primary account number; instead, it encourages stores to keep that data in a truncated format.
In the letter, Perez made no mention of what is required by acquiring banks, which actually process the transactions.
Tom Borton, CISO for Cost Plus World Market, a high-end furniture chain, says acquiring banks require his business to hold onto data for 30 days. “In a perfect world, I'd much rather shift the risk over to them,” he says.
But Herman of Chase Paymentech says no rule exists that requires retailers to hold onto any data. Experts have said that many businesses opt to keep the data for recurring billing and returns.
Hogan proposed that credit card companies and their banks permit merchants to keep only authorization codes and truncated receipts. Critics, though, argue that customizing payment systems so they do not store card numbers could prove as costly and time-consuming as encryption and key management does today.
Don Rhodes, policy manager in payments and technology at the American Bankers Association, says merchants should be required to keep certain records. “That's the cost of doing
business, as far as I'm concerned,” he says. “To maintain their brand, they have a responsibility to secure that information.”
Level-four merchants, the millions of retailers that process up to one million transactions each year, seem to have the best case when it comes to rebelling against PCI, experts say. Transitioning from legacy systems and deploying encryption solutions, whether done in-house or contracted out, is a costly proposition for a mom-and-pop shop. As it stands now, though, they are not required to validate compliance.
Meanwhile, most tier-one and tier-two retailers have accepted the fact that securing cardholder data is now a business priority, says Claude Gigoux, manager of networks and telecommunications at Princess Cruises.
He says that if companies are going to maintain and secure databases on their customers for marketing purposes, credit card numbers make up just another data field to protect.
“When we started PCI, it was a lot of work, so I can understand their reticence that it's going to cost a lot of money and take up a lot of time,” he says. “The other part of me says, ‘Shut up and stop whining and get your butts in gear.'”
For more on PCI, signon to the next SC Magazine eConference & Expo: PCI Compliance, a unique online opportunity to meet with vendors and learn without leaving your desk. Click on www.sceconference2008.com.