March 24, 2006, 12:00 AM

Confusion prevents retailers from complying with data security standard

The majority of retailers still haven’t complied with the mandatory card industry database security standard because it is too complex and confusing, says Avivah Litan, vice president and director of research at Gartner Inc.

 

The majority of retailers still haven’t complied with the mandatory card industry database security standard because it is too complex and confusing, says Avivah Litan, vice president and director of research at Gartner Inc.

The Payment Card Industry Data Security Standard “reads like an all-encompassing security manual” rather than focusing on the protection of cardholder data, Litan says. In addition, the standard goes into “microscopic detail” on many requirements, for example, mandating that users change their passwords every 90 days.

“You look at this standard and you just can’t do every single thing,” she says. “If it becomes unmanageable, then no one does it.”

Retailers also are unclear about what impact the outsourcing of payment processing has on PCI compliance, Litan says. Under the standard, retailers fall into four categories based on transaction volume. The data security requirements vary depending upon the level.

Litan notes that if a merchant outsources 80% of its processing, it theoretically would drop into a lower category. Yet “merchants area left in the dark as to whether this is the case because they generally cannot get a clear answer from their (merchant banks),” she says.

However, Eduardo Perez, vice president of corporate risk and compliance at Visa U.S.A., says the card associations have gone to great lengths to educate merchants about the standard, including mailings and seminars discussing the PCI standard. Visa and MasterCard International, which helped developed the standard, also have posted the standards and related materials on their web sites.

“We have done quite a bit to educate the merchant community,” Perez says.

According to Visa, 17% of the 231 largest merchants are PCI compliant. Another 75% are working toward compliance and 8% have submitted no status reports on compliance. Visa has no statistics on smaller merchants, but industry observers say most haven’t adopted the standard.

comments powered by Disqus

Advertisement

Advertisement

Advertisement

From IR Blogs

FPO

Jock Purtle / E-Commerce

What is your e-commerce business worth?

The founder of a merger and acquisitions consulting firm examines how e-retailers can know the ...

FPO

Adrien Henni / E-Commerce

Alibaba and Chinese e-commerce rivals target Russia

Besides Alibaba, Chinese e-commerce companies like LightInTheBox and DinoDirect are seeking deals to get goods ...

Advertisement