The home improvement chain also said the malware responsible for the breach has been removed from all stores.
(Page 2 of 2)
That forced FansEdge, a Level 2 retailer, to change some processes. For instance, even returning customers who log into the site have to reenter a credit card number at checkout because FansEdge does not retain the number. Similarly, a customer who calls about a purchase will have to provide the card number again-and agents are trained to explain that the retailer does not keep the card number to protect customer privacy, Sivashanmugam says.
"That was a big change within our web site and customer service procedures," he says. "We need to message in a way that our customers understand, and we`re not hearing concerns from customers." The retailer retains a unique reference number for each transaction.
Another technique called tokenization is gaining popularity as a way for retailers to ensure they hold no credit or debit card numbers. Card numbers are automatically converted into a code, or token, which the retailer retains; its technology provider keeps the actual card number in encrypted form.
Consumer electronics manufacturer Pioneer Electronics (USA) Inc. is using tokenization technology from Paymetric Inc. to protect card numbers of customers purchasing at its e-commerce site, PioneerElectronics.com. Kevin Erlandson, director of applications at Pioneer, says he feels more secure because even if someone were to break into Pioneer`s network all they would get would be meaningless codes, not actual card numbers.
To get card numbers, he says, they would have to break into Paymetric`s system and crack the encryption code, "a pretty unlikely scenario." While he wouldn`t say how much the service costs, Erlandson says it was easily justified.
PCI poses a special challenge for retailers that develop their own software because that code must go through a rigorous review-unless it is protected by a firewall dedicated to that software.
Online auto parts retailer AutoAnything.com, which develops its own software and frequently updates it, has installed a WebDefend firewall from Breach Security Inc., which sits in front of the retailer`s e-commerce application, monitoring data flowing in and out.
Not only does it help AutoAnything meet PCI requirements, but the retailer`s network is protected continuously against possible hacker attacks by a company that specializes in network security, says Parag Patel, the e-retailer`s chief technology officer. The software cost about $20,000, with an annual maintenance fee of about $1,200, Patel says.
While retailers can benefit from such vendor technology, they also must ensure their vendors meet PCI requirements. That`s particularly an issue now that the July 2010 deadline looms for payment software to be PCI-compliant.
A bit nervous
That has Jim Poulin, chief technology officer at multichannel retailer Gardener`s Supply, nervous about his Controller Plus order management software from Sigma-Micro. While the vendor says the software will be certified as compliant by the deadline, Poulin says, "If not, what does that mean for me?"
Sigma-Micro will meet the deadline, but it has a lot of work to do because two-thirds of the companies using Controller Plus have customized it over the more than two decades the software has been on the market, says Gerry Bailey, vice president of product development. That means each piece of customized software has to be upgraded and certified individually, Bailey says.
He says the certification process will cost Sigma-Micro $175,000-$200,000. Whether the vendor will charge a retailer for the changes will depend on the amount of work that client`s software requires and whether the retailer has a current software maintenance agreement.
Retailers should be aware of the high cost vendors face to certify software, because they may try to pass on those costs, says Taylor of PCI KnowledgeBase. He encourages retailers, when signing software contracts, to demand guarantees that the vendor will maintain the software as PCI-compliant without extra fees.
Poulin, a level 3 retailer, also is aware that level 2 retailers will have to bring in outside PCI auditors as of the end of 2010, under the new MasterCard rule. Taylor says hiring outside auditors can cost $10,000-$30,000 per year for a merchant already PCI-compliant and more for a retailer meeting the standard for the first time.
One way to avoid reaching the level 2 threshold of processing 1 million Visa or MasterCard transactions a year is to add alternative payment methods, such as PayPal, that would reduce the number of card transactions.
"We`ve talked about that. If you could push 20% of transactions to those payment methods, that does take the pressure off of getting to level 2," Poulin says. But Poulin says his company hasn`t adopted that strategy yet because it`s not that close to reaching Level 2.
Surely, Visa and MasterCard didn`t intend for PCI to drive merchants away from their brands. But as PCI compliance becomes more complex and expensive, retailers are sure to consider every possible way to ease the burden.
Click Here for the Payment Security Products & Services Guide.