Web merchants shouldn’t underestimate the time and cost needed to remain fully compliant with Payment Card Industry data security standards, says Steve Weiskircher, vice president of information technology at Crutchfield.
Web merchants shouldn’t underestimate the time and cost needed to remain fully compliant with Payment Card Industry, or PCI, data security standards, said Steve Weiskircher, vice president of information technology at Crutchfield Corp., June 4 at the 2007 Internet Retailer Conference & Exhibition in San Jose.
The PCI standards from Visa and MasterCard are requirements for the handling of credit card information, classification of merchants and validation of retailers’ compliance. Merchants are responsible for the security of cardholder data and must be careful not to store certain types of data in their systems or the systems of their third-party service providers. Merchants also are responsible for any damages or liability that may occur as a result of a data security breach or other noncompliance with the PCI standards.
Crutchfield, No. 89 in the Internet Retailer Top 500 Guide, has spent about $230,000 over several years, including an investment of $110,000 in new hardware and software, to remain in compliance with the standards, Weiskircher said. Crutchfield began studying PCI standards compliance as early as 2003, but as late as 2005 still had trouble getting basic answers from the bank card associations on deadlines and auditing procedures. “There was a lack of available and consistent information at the start,” he told conference attendees.
Crutchfield spent two years becoming compliant with the PCI standards. Over time the company spent about $70,000 on an intrusion detection system, $20,000 on a visitor management system, and $10,000 on expanded video surveillance and router and firewall upgrades. “Take time to understand the specific requirements and don’t underestimate the time required to get everything in order,” he advised.
The move to full PCI standards compliance “forced a review of the business requirements we used in handling payments,” Weiskircher added. But the process also helped Crutchfield institute better ways to handle sensitive customer information and set security priorities. “Information security is an extension of our customer service,” he said. “Customers trust us to protect their data.”