The credit card industry’s Payment Card Industry Data Security Standard is impractical and has left e-merchants confused about what steps they need to take for compliance, says Avivah Litan, vice president and research director at Gartner Inc.
PCI is the database protection standard endorsed by Visa, MasterCard, American Express, Discover and Diners’ Club.
Part of the problem lies in the fact that most e-merchants can’t meet all of the PCI standard’s 12 rules and 200 detailed sub-requirements and must put in place alternative security methods, Litan says. For example, small merchants might not be able to afford data encryption.
However, the standards don’t specify what alternatives could be used. “It’s like saying you have to only eat hamburger for lunch,” she says. “But if you can’t, what are the things you can eat? They don’t tell you that.”
The standards also are subject to too much interpretation by the third-party assessors that must validate whether a merchant is in compliance, according to Litan. “One assessor may say one thing, and another assessor may say another thing,” she says. “There’s just too much left open in terms of the standards not being defined.”
Many merchants also report that they haven’t yet been contacted by their merchant banks even though the deadline for compliance is past, Litan says. Merchant banks are required by Visa and MasterCard to monitor compliance schedules and are responsible for implementing the standards.
“The bottom line is that there are a lot more questions than answers (about the standards),” Litan says.
For its part, Visa continues to work with merchants to answer any questions about the standard, says Michael W. Yakel, vice president of new market development. “Merchant confusion can be solved by merchant education and dialog,” he says.