For six years, credit card companies have been threatening retailers with fines and loss of credit card status if they don’t comply with the payment card industry data security standards. And retailers have been routinely ignoring them.
Now that might be changing. The card companies recently upped their fines to as much as $25,000 a month for large merchants who don’t comply with the standards. And high profile data breaches, such as the one that TJX Companies Inc. discovered in January, are raising consumers’ awareness that their payment data might not be secure-to the point that they might stop shopping at retailers where they perceive a threat.
A clear message
Retailers are getting a clear message from merchant banks, credit card companies and consumers that they need to get on board with security standards designed to protect credit card account and other data in consumer databases. The goal is to prevent the kind of theft that occurred at TJX, where criminals broke into computer systems in 2005 and 2006 and stole customer information from a network that handles credit card, debit card, check and merchandise-returns transactions.
Card companies say retailers can avoid data breaches like that by implementing the payment card industry data security standards, or PCI-DSS, as they’re known in the payment industry. The standards are comprised of 12 general requirements for such actions as assuring that networks have updated security patches from software vendors, not storing sensitive customer data, and deploying software applications that encrypt the customer data that they do store in databases.
It may be true that complying with payment security standards will prevent such data breaches, but doing so is not easy-and online retailers face many other pressing issues. “Most companies don’t want to spend money on security,” says Avivah Litan, a security technology expert at research and advisory firm Gartner Inc. “They’d rather spend it on revenue-generating projects.”
A recent Gartner survey of 50 retailers found that only one-third of the largest merchants-those identified by credit card companies as Tier 1, or processing more than 6 million payment card transactions per year-were compliant with payment card industry standards. “That’s certainly well below what it should be,” Litan says.
The difficulty of implementing the standards varies based on a retailer’s extent of operations and whether it sells through a single channel or multiple ones. “99% of this is common-sense stuff that retailers should have in place already,” says Robin Bonin, IT director for Golfballs.com Inc.
Golfballs.com, which sells mostly online but operates one store, complies with the payment industry standards and took extra steps to fix security holes in its data networks during a recent site re-design, Bonin says.
Hundreds of security issues
Other retailers find compliance more difficult. Most merchants prefer not to discuss payment security issues publicly, but Mallory Duncan, senior vice president and general counsel of the National Retail Federation, a trade group which represents large retailers, says many merchants find it hard to keep up with updated software and other requirements of compliance. “Retailers are getting closer in line, but it’s a challenge,” he says.
Indeed, the 12 standards actually amount to more than 200 points that retailers may have to address, he adds. As a result, many retailers leave security standards compliance on their to-do lists.
Many retailers who have not experienced data breaches apparently operate under a false sense of security that their customer records are safe, Litan and other experts say. Such retailers wait until a highly publicized attack occurs at another retailer or until a merchant bank warns the retailer that it could get fined if it doesn’t get up to par with security, they say.
The unintended build-up
Retailers typically keep customer account data including name, billing address, credit card expiration date and card identification number-the 3- or 4-digit number that identifies a plastic card itself aside from the card account number. Criminals can use all of those elements to make fraudulent transactions.
But instead of deleting transaction data after getting payment authorization and settlement from participating banks, some retailers hold it. “So they build up a huge repository of customer transaction data that can get hacked if not properly protected,” says John Bingham, director of the technology risk practice at Protiviti Inc., a company that conducts tests of retailers’ compliance with the card industry standards.
The risk is heightened when retailers store full-track data, or the information contained in the magnetic stripe on payment cards, which includes enough account information to create duplicate cards. “If there’s a golden rule, it’s: Don’t store track data,” says Rob Tourt, vice president of network services for Discover Financial Services LLC, which issues and handles transaction processing for the Discover Card, one of the sponsors of the data security standards.
But many retailers don’t even realize they’re storing track data, often because their store point-of-sale systems are improperly designed to automatically record it in a database. “Unfortunately, merchants who are victims of database hacking often store track data without knowing it,” Tourt says.
At the same time, criminals continue to develop more sophisticated methods of cracking into and stealing that data-creating demand for more sophisticated security technology and policies.
Weighing the costs
The cost of implementing PCI standards depends on such factors as the volume of transactions a merchant handles; the state of a merchant’s infrastructure of computer databases, networks and security software; and its policies. A smaller merchant might spend $120,000 to get outfitted with data encryption software and other basic security tools, while a Level 1 merchant could spend $700,000, Litan says. But that’s just for security-related tools themselves, she adds. The cost of updating overall technology systems to comply with payment data security standards can run into millions of dollars, experts say, when new software systems require new and more robust hardware to run them.
Still, the overall cost of complying with PCI standards can be less than the cost of a security breach in terms of damage to a retailer’s brand, lost customers and a decline in sales, Litan adds.