Enforcement of PCI data security rules is getting tougher, and changes coming in 2010 could raise the cost of compliance for many retailers.
Mark Wilson thinks it`s important to guard his customers` credit card numbers. But without an information technology specialist at his small online retail business, Night-Gear Inc., he had about given up on achieving compliance with the PCI security standards designed to protect cardholder data.
After months of notices from a security service that his site did not meet the requirements of the Payment Card Industry Data Security Standard-notices he struggled to comprehend-Wilson was prepared to go on paying the small monthly fines his processor assesses non-compliant merchants.
Then he received an e-mail saying his site had passed the PCI scanning test.
"It was a bizarre," Wilson says. "We get this congratulatory letter saying, `You`ve done it.` Well, what have we done?"
A major challenge
Wilson`s far from the only small merchant who`s confused. In a recent survey by the National Retail Federation, 19% of non-compliant smaller merchants said they didn`t understand PCI and another 26% said they lacked the financial or technical resources to meet the standard, which covers a dozen broad areas from physical and network security to protecting cardholder data and maintaining information security policies. PCI applies to online and offline retailers alike.
The same survey also showed 86% of the retailers felt at least somewhat familiar with PCI. That`s a significant increase from the recent past when small merchants largely ignored PCI, and stems from processors starting to impose fines on smaller non-compliant merchants or at least threaten them, says David Taylor, founder of PCI KnowledgeBase, a PCI research community.
But it`s not just small merchants paying more attention to PCI. The data security rules keep changing, imposing new requirements on retailers, their payment processors and software providers. One change taking effect next year will affect all retailers, and a second, larger merchants.
The first requires all payment software that handles cardholder data to comply with a subset of PCI, the Payment Application Data Security Standard. The second, a rule imposed by MasterCard that will affect virtually all card-accepting merchants, requires certain larger merchants-those in Level 2 in PCI`s four-category schema-to use outside auditors for annual inspections, adding to the cost of PCI compliance.
Since few retailers are experts in the complex rules of PCI, the new rules and stricter enforcement means merchants will be relying more heavily on technology vendors for help with PCI. Wilson`s experience suggests that can be a daunting prospect.
Man in the middle
Night-Gear`s saga began last fall when its processor, the CardService International unit of First Data Corp., added a $119.75 annual PCI compliance fee to its September bill and told Wilson that fee included a year`s worth of quarterly vulnerability scanning of Night-Gear`s Internet-facing network, a requirement of PCI.
Wilson signed up for the free scans from vendor SecurityMetrics, and began receiving reports showing vulnerabilities in his site, which sells reflective apparel and lights for night-time activities. But Wilson couldn`t understand the technical terminology in the reports or the explanations from SecurityMetrics` help desk. "It was geek to me," he jokes.
He turned for help to his web hosting company, IntuitSolutions, which told him that the flaws SecurityMetrics pointed out were not vulnerabilities, but standard features of the ProStores e-commerce platform Night-Gear uses. Feeling caught in the middle of three vendors, Wilson felt it was easier to pay the $19.95 monthly fine that CardService started charging last November than to pay experts to help him become PCI-compliant.
Then he got the notice that he was compliant. As far as Wilson knew, nothing had changed. But that may not be the case, says Wenlock Free, vice president of business development at SecurityMetrics.
Free says often when a company like his begins noting flaws, clients complain to the hosting company, which makes changes, some of them minor, to bring a system into compliance. IntuitSolutions, the web hosting company, declines to comment.
More to come
SecurityMetrics provides PCI-related services to 250,000 merchants, and Free says banks have provided SecurityMetrics with information on another 1.2 million merchants, a sign more acquirers-the payment processors affiliated with banks that sponsor retailers into the Visa and MasterCard networks-will be mandating merchant compliance with PCI in coming years.
In a similar deal, First National Merchant Solutions, the merchant-acquiring arm of First National Bank of Omaha, announced last month that security company Trustwave would provide PCI scanning to First National retailers.
One merchant already using Trustwave for PCI scanning is Dave Taylor (no relation to the PCI expert of the same name), owner of online beef jerky retailer JerkyNet.com. Taylor says it took him less than a half hour to fill out the online Trustwave questionnaire about his security policies. That annual questionnaire and quarterly network scans are all that`s required of smaller merchants to comply with PCI. Taylor says he pays Trustwave about $140 a year for the service.
Retailers like Wilson and Taylor fall into the Level 4 category of PCI, which encompasses smaller merchants that process no more than 20,000 e-commerce transactions or 1 million total transactions in a year. It`s only been in the past year or so that banks and processors have started putting pressure on those merchants to fall in line with PCI.
But for larger merchants the mandates began to hit in 2005. Since then, vendors have introduced technology designed to minimize the cost of complying with PCI.
Don`t hold data
PCI experts say one of the best ways for a retailer to reduce PCI compliance costs is to not hold cardholder data, because only retailer systems-networks, servers, databases and software-that hold cardholder data fall under PCI. No card data in a customer history database, for instance, means that database is excluded from PCI audits.
That`s the approach Dreams Inc. has taken with its FansEdge.com e-commerce business that sells team sports apparel. All payment card numbers are stored by the e-retailer`s payment processor, PayPal, says Mano Sivashanmugam, chief information officer at Dreams Inc.