March 31, 2006, 12:00 AM

The Compliance Dilemma

(Page 2 of 2)

In addition, the bad publicity generated by a data breach can harm a retailer’s business, both online and offline.

Perez also objects to the charges that the card associations haven’t done enough to educate merchants. Both Visa and MasterCard have posted the standards and related materials on their web sites. Visa also has done mailings to retailers and conducted seminars about PCI around the country in conjunction with the U.S. Department of Commerce, Perez says.

Merchant education

“We have done quite a bit to educate the merchant community, especially with level one merchants,” Perez says. “We have some work to do with smaller merchants, but even there there’s been a lot of communication to acquirers to help ensure that smaller merchants validate.”

Retailers with questions about PCI compliance should consult their merchant banks, says Jennifer Fischer, Visa U.S.A. compliance specialist. There are also steps retailers can to make the PCI process easier.

“They can simplify what they need to do by reducing the amount of data they store, the duration of the storage, and the number of systems they store the data on,” she says.

Retailers also should store only data that is essential to their business-name, account number or expiration date-and should destroy all obsolete data with cardholder information. “In the vast majority of cases, the merchant really has no additional use for that information,” Perez says.

And merchants that use outside services to process payments or host their web sites should make sure that PCI compliance is part of the contracts. The Visa and MasterCard web sites have lists of compliant service providers.

The card companies also are trying to address retailers’ concerns about the cost of implementing PCI. MasterCard’s site has compiled a list of vendors that will provide merchants with free network vulnerability scans.

The associations also are working with e-commerce platform providers to incorporate data protection measures into their software so that retailers don’t have to add costly security measures after the fact.

Whatever the expense, retailers will have to adopt tough data protection measures if they want to see e-commerce continue to grow, Leonard says.

“Merchants see this as an added cost, an added burden, and that’s the wrong way for them to see it,” Leonard says. “The over-arching point here is that there is a big problem. And the merchants themselves have to clear it up.”

And a data breach can be much more costly, both in reputation and dollars, than setting up a secure site. Litan estimates a retailer with 100,000 accounts could spend at least $90 per account when data is compromised. Those costs could escalate if legislation mandating fines of up to $11,000 per exposed account is approved, she says. “Protecting your data is well worth the investment, with or without PCI compliance,” Litan says.

linda@verticalwebmedia.com

Click Here for the Internet Retailer Guide to Providers of Global Solutions

 

comments powered by Disqus

Advertisement

Advertisement

Advertisement

From IR Blogs

FPO

Tony DiCostanzo / B2B E-Commerce

B2B e-commerce in a B2C world

Companies that sell online to other companies can learn a lot from looking at the ...

FPO

Vebeka Guess / E-Commerce

Three online shopping trends to note this holiday season

Lessons from the 2013 holiday season point the way for effective marketing tactics in the ...

Advertisement