The move follows similar programs from Target and Amazon.
The Compliance Dilemma
Retailers struggle with the card industry’s stringent—and confusing—data protection standard
For more than five years, the card industry has been pushing retailers to adopt strict measures to protect customers’ confidential data. Realizing that retailers balked at the time and money spent on meeting the security requirements of the different card companies, the industry adopted a single standard-the Payment Card Industry Data Security Standard. And it gave merchants a deadline for compliance-April 2005 for Visa and June 2005 for MasterCard.
Yet, despite those efforts, a year later the majority of online retailers still haven’t adopted the PCI standard. Only 17% of 231 large merchants have complied with the standard, according to Visa. Another 75% are working toward compliance and 8% have submitted no reports.
Visa has no statistics on how many smaller merchants are PCI compliant, but industry observers say the picture there is even worse-most haven’t adopted the standard and some haven’t even heard of it.
Some attribute the lack of compliance to the complexity of the standard-it has 12 rules and 200 detailed sub-requirements governing such practices as use of firewalls and encryption of stored data. It also requires annual security audits to ensure the retailer remains in compliance.
Merchant banks whose retailers aren’t PCI compliant could be fined up to $500,000. Typically, banks pass penalties along to the retailer involved. The merchant also faces loss of its card-acceptance privileges.
Under the standard, retailers fall into four categories, based on transaction volume. Level one is composed of merchants that process 6 million transactions annually while level four merchants process 20,000 or less transactions per year. The data security requirements vary depending upon the level.
“All along the path, there are many confusing points for merchants,” says Ken Leonard, CEO of ScanAlert Inc., a data security company. “They’re not aware of exactly what their responsibility is and exactly what the procedure is to meet the requirements.”
That was the experience of Newegg.com, a computer and consumer electronics retailer, which became PCI-compliant in September 2005. “We were not given pointers, just hundreds of rules and a deadline to meet under penalty of a large fine from Visa and MasterCard,” says Howard Tong, vice president. Tong says Newegg’s principal sources for information on the PCI standard were a security consulting company and payments processor First Data Corp. “We had to handle most of the requirements internally under our own initiative,” he says.
Much of the confusion and difficulty arise from the fact that the PCI standard “reads like an all-encompassing security manual” rather than focusing on the protection of cardholder data, says Avivah Litan, vice president and director of research at Gartner Inc.
In addition, the standard goes into “microscopic detail” on many requirements, for example, mandating that users change their passwords every 90 days. “You look at this standard and you just can’t do every single thing,” Litan says. “If it becomes unmanageable, then no one does it.”
Retailers also are unclear about what impact the outsourcing of payment processing has on their PCI compliance, she says. For example, if a merchant outsources 80% of its processing, it theoretically would drop into a lower category. Yet, “merchants are left in the dark as to whether this is the case because they generally cannot get a clear answer from their acquirers,” Litan says.
Indeed, the many layers of the card industry hamper the spread of information to merchants about the PCI standard, Leonard says. Because the card companies don’t have a direct relationship with merchants, they must rely on retailers’ merchant banks to relay information on PCI.
“We’ve worked with a lot of banks and the banks are overwhelmed,” he says. “They have this mandate to educate their merchants about the need for security, and they don’t have the staff to do it, they don’t have the expertise in-house to do it, so it ends up being done poorly.”
Many retailers also are unable to implement all the measures dictated by the standard, for example, encrypting stored data, Litan says. Yet the standards don’t specify alternative measures that could be used to protect data, she says.
What’s more, many retailers aren’t even aware the data security standard exists, says Scott Sweren, national practice manager for Fortrex Technologies Inc., a data security company. “If you don’t know they exist, you don’t know to look for information on how to comply,” he says.
Often a retailer first learns of PCI when it seeks out a payment processor or other third-party service provider, Sweren says. “The service provider may come back to the retailer and say ‘Are you certified?’” he says. “That’s when the question comes up. ‘What do you mean am I certified?’”
Retailers also are put off by the expense of implementing the PCI standard, Litan says. A Gartner study estimates that a company with at least 100,000 accounts can spend as much as $16 per customer account to implement PCI.
At Newegg.com and its subsidiaries, “we had numerous employees in multiple departments working around the clock for a significant period of time,” Tong says. “As one of the largest Internet retailers, we’re fortunate to have global resources to handle this type of challenge.”
Newegg also had to put on hold some back-end projects, including its implementation of new site search technology from Endeca Technologies Inc., Tong says. “We offer approximately 60,000 SKUs and implementing the proper tools on our web site to help customers locate products is critical,” he says. “However, we were strained in being required to comply with PCI first.”
Federal and state legislation
But while the costs of complying with PCI may be high, the costs of not complying are even higher, says Eduardo Perez, Visa USA’s vice president of corporate risk and compliance. Bills pending at the state and federal levels would penalize retailers that fail to protect customers’ confidential data, and the Federal Trade Commission recently began fining organizations that have had data compromises. “We’re not the only ones providing an incentive to merchants to comply with the PCI standard,” he says.