March 16, 2006, 12:00 AM

PCI data-protection standard said to be too broad for retailer compliance

Retailer compliance with the Payment Card Industry Data Security Standard won’t become widespread until the card associations streamline the process, says Avivah Litan, vice president and research director at Gartner Inc.

Retailer compliance with the Payment Card Industry Data Security Standard won’t become widespread until the card associations streamline the process, says Avivah Litan, vice president and research director at Gartner Inc.

PCI is the database protection standard mandated by Visa, MasterCard, American Express, Discover and Diner’s Club for merchants accepting credit and debit cards.

“The reason it’s not being adopted is that it’s way too broad in scope,” Litan says. “The standard reads like a “Best Practices in Security” manual which, while laudable, goes beyond the immediate goal of protecting cardholder data.”

At the same time, the standard is too detailed in some areas and not detailed enough in others, she says. The standard goes into “microscopic detail” in some areas, for example, mandating that users change their passwords every 90 days, a decision better left to the retailer, Litan says

But there also is no prioritization of the 12 rules and 200 detailed sub-requirements of the standard. “You look at this standard and you just can’t do every single thing,” she says. “If it becomes unmanageable, then no one does it.”

Retailers who aren’t PCI compliant face penalties up to $500,000 and could lose card accepting privileges.

Only 17% of the 231 largest merchants have complied with the Payment Card Industry Data Security Standard, according to Visa. Another 75% are working toward compliance and 8% have submitted no reports.

Visa has no data on how many small to mid-size merchants are PCI compliant.

comments powered by Disqus

Advertisement

Advertisement

Advertisement

From IR Blogs

FPO

Deepak Agarwal / E-Commerce

Back-to-school insights from a Top 100 online retailer

It’s the second-largest online shopping season, and one nomorerack.com CEO pays close attention to. Here ...

FPO

Kevin Sterneckert / E-Commerce

The ghost economy: an $800 billion retail data disconnect

A new twist on a classic holiday story that online retailers will relive in the ...

Advertisement