Criminals also obtained the associated expiration dates, giving thieves the information they would need to make an online purchase on some e-commerce sites. E-retailers ...
The Compliance Dilemma
(Page 2 of 2)
In addition, the bad publicity generated by a data breach can harm a retailer’s business, both online and offline.
Perez also objects to the charges that the card associations haven’t done enough to educate merchants. Both Visa and MasterCard have posted the standards and related materials on their web sites. Visa also has done mailings to retailers and conducted seminars about PCI around the country in conjunction with the U.S. Department of Commerce, Perez says.
“We have done quite a bit to educate the merchant community, especially with level one merchants,” Perez says. “We have some work to do with smaller merchants, but even there there’s been a lot of communication to acquirers to help ensure that smaller merchants validate.”
Retailers with questions about PCI compliance should consult their merchant banks, says Jennifer Fischer, Visa U.S.A. compliance specialist. There are also steps retailers can to make the PCI process easier.
“They can simplify what they need to do by reducing the amount of data they store, the duration of the storage, and the number of systems they store the data on,” she says.
Retailers also should store only data that is essential to their business-name, account number or expiration date-and should destroy all obsolete data with cardholder information. “In the vast majority of cases, the merchant really has no additional use for that information,” Perez says.
And merchants that use outside services to process payments or host their web sites should make sure that PCI compliance is part of the contracts. The Visa and MasterCard web sites have lists of compliant service providers.
The card companies also are trying to address retailers’ concerns about the cost of implementing PCI. MasterCard’s site has compiled a list of vendors that will provide merchants with free network vulnerability scans.
The associations also are working with e-commerce platform providers to incorporate data protection measures into their software so that retailers don’t have to add costly security measures after the fact.
Whatever the expense, retailers will have to adopt tough data protection measures if they want to see e-commerce continue to grow, Leonard says.
“Merchants see this as an added cost, an added burden, and that’s the wrong way for them to see it,” Leonard says. “The over-arching point here is that there is a big problem. And the merchants themselves have to clear it up.”
And a data breach can be much more costly, both in reputation and dollars, than setting up a secure site. Litan estimates a retailer with 100,000 accounts could spend at least $90 per account when data is compromised. Those costs could escalate if legislation mandating fines of up to $11,000 per exposed account is approved, she says. “Protecting your data is well worth the investment, with or without PCI compliance,” Litan says.