March 31, 2006, 12:00 AM

The Compliance Dilemma

(Page 2 of 2)

In addition, the bad publicity generated by a data breach can harm a retailer’s business, both online and offline.

Perez also objects to the charges that the card associations haven’t done enough to educate merchants. Both Visa and MasterCard have posted the standards and related materials on their web sites. Visa also has done mailings to retailers and conducted seminars about PCI around the country in conjunction with the U.S. Department of Commerce, Perez says.

Merchant education

“We have done quite a bit to educate the merchant community, especially with level one merchants,” Perez says. “We have some work to do with smaller merchants, but even there there’s been a lot of communication to acquirers to help ensure that smaller merchants validate.”

Retailers with questions about PCI compliance should consult their merchant banks, says Jennifer Fischer, Visa U.S.A. compliance specialist. There are also steps retailers can to make the PCI process easier.

“They can simplify what they need to do by reducing the amount of data they store, the duration of the storage, and the number of systems they store the data on,” she says.

Retailers also should store only data that is essential to their business-name, account number or expiration date-and should destroy all obsolete data with cardholder information. “In the vast majority of cases, the merchant really has no additional use for that information,” Perez says.

And merchants that use outside services to process payments or host their web sites should make sure that PCI compliance is part of the contracts. The Visa and MasterCard web sites have lists of compliant service providers.

The card companies also are trying to address retailers’ concerns about the cost of implementing PCI. MasterCard’s site has compiled a list of vendors that will provide merchants with free network vulnerability scans.

The associations also are working with e-commerce platform providers to incorporate data protection measures into their software so that retailers don’t have to add costly security measures after the fact.

Whatever the expense, retailers will have to adopt tough data protection measures if they want to see e-commerce continue to grow, Leonard says.

“Merchants see this as an added cost, an added burden, and that’s the wrong way for them to see it,” Leonard says. “The over-arching point here is that there is a big problem. And the merchants themselves have to clear it up.”

And a data breach can be much more costly, both in reputation and dollars, than setting up a secure site. Litan estimates a retailer with 100,000 accounts could spend at least $90 per account when data is compromised. Those costs could escalate if legislation mandating fines of up to $11,000 per exposed account is approved, she says. “Protecting your data is well worth the investment, with or without PCI compliance,” Litan says.

linda@verticalwebmedia.com

Click Here for the Internet Retailer Guide to Providers of Global Solutions

 

comments powered by Disqus

Advertisement

Advertisement

Advertisement

From IR Blogs

FPO

Deepak Agarwal / E-Commerce

Back-to-school insights from a Top 100 online retailer

It’s the second-largest online shopping season, and one nomorerack.com CEO pays close attention to. Here ...

FPO

Kevin Sterneckert / E-Commerce

The ghost economy: an $800 billion retail data disconnect

A new twist on a classic holiday story that online retailers will relive in the ...

Advertisement