With updated PCI security mandates on the way, the PCI Council considers new data-protection methods.
Marty Tippin and his wife started AllThreads.com seven years ago, selling materials to embroiderers and others who like to work with needles and sewing machines. Tippin is a software engineer who handles the back-end technical tasks for the mom-and-pop site.
But there was one thing Tippin eventually decided he could not deal with himself: Making sure the site has the technology and protocols in place to safeguard the transaction data of AllThreads customers.
Like merchants of all sizes that accept payment cards, whether they sell on the web or in stores, the Tippins must comply with the Payment Card Industry Data Security Standard or risk fines from the card brands should criminals manage to steal data and use card numbers for fraud. Merchants also face fines from acquirers for failing to comply with PCI rules or filing required reports.
With data-security requirements regularly changing, the Tippins this year hired a vendor, CRE Secure Payments LLC, to handle transaction security. The Tippins pay $50 monthly.
"I thought I could do it myself," Tippin says. "But I would have had to have gone with dedicated servers and dedicated firewalls, and there is so much documentation and auditing you need to do. The more I dug into it, the more I knew it was beyond our scope."
It is easy see why the ever-shifting sands of PCI drive retailers small and large to outsource data security. And with those sands set to shift again in the next few months, new technology that can help online retailers secure card data is moving closer to the mainstream, offering another path to PCI compliance.
More rule changes
The rule changes include one imposed by Visa Inc. and set to take effect on Oct. 1 that requires online merchants, even smaller ones that so far may have escaped strict PCI scrutiny, to deploy PCI-compliant systems for credit and debit card transactions. Punishment includes fines, higher transaction fees or frozen merchant accounts.
Then there is a new rule from MasterCard Worldwide that tells merchants in the PCI Level 2 category—generally, larger merchants, but not as big as those in Level 1—to hire outside auditors for annual PCI compliance inspections.
That's not to say all upcoming rules changes will make life more difficult and costly for merchants. The newest round of changes would enable merchants to prioritize their card security vulnerabilities, says Bob Russo, general manager of the PCI Security Standards Council, a group formed by credit card companies to manage and promote understanding of PCI. That doesn't mean merchants could ignore potential security holes, but that the council would let retailers focus first on the most important upgrades for the specific sector the retailer serves.
This new and ongoing round of rule changes—the council manages the rules while the card brands enforce them—also will include non-binding guidelines for tokenization, a technology that converts card numbers into codes, called tokens. The retailer retains those codes but keeps on hand no actual card data, which are kept by the retailer's tokenization vendor. About 30 vendors offer tokenization services, Russo says. And observers say more retailers are considering the technology, though it is difficult to say how many have adopted it.
"There is tremendous interest in using tokenization as a way to limit the scope of PCI audits. I do see evidence that more companies are actually implementing it as well, based on my client calls," says Avivah Litan, a security technology analyst at research and advisory firm Gartner Inc. "There is more interest, however, than there is experience, but the situation should change within a year so that we have large numbers of implementations."
Different vendors do tokenization in different ways, with some, for instance, masking different parts of the card numbers than others. "There is no standard for tokenization yet," Russo points out. The guidelines will offer examples of different types of tokenization and how the technology is used, and offer a checklist that will enable a retailer to gauge how close it is to compliance. Russo would not rule out an eventual PCI standard for tokenization.
Finally, the PCI Council announced in June that it will update each of its three standards every three years; one already was on a three-year cycle, but the other two were revised every two years, meaning more frequent changes to retailers' systems and practices to keep up. The council said it made the changes after merchants, banks and processors asked for more time to meet the requirements of the standards.
All this change takes places as an August report from Visa Inc., a council founder, shows that compliance rates remain high but are flat for the largest merchants. 96% of Level 1 merchants, the largest retailers, complied with the standard in the August report, virtually unchanged from the previous month. Compliance for Level 2 merchants stands at 95%. As for the two categories that include the smallest merchants, Visa said only that the compliance rates were "moderate."
Merchants that process at least 1 million payment card transactions per year, those in Level 2, can pay on average $103,000 annually to comply with PCI rules, according to an April survey of payment security auditing firms by The Ponemon Institute. Smaller retailers can do self-assessments that keep compliance costs down.
The point of PCI is to prevent data breaches, and those can be very costly. The Ponemon Institute says breaches can cost businesses $204 per customer record compromised. And a survey this year from Javelin Strategy & Research said that 43% of fraud victims avoid merchants after having personal data stolen.
Like AllThreads, some online merchants start off trying to comply with PCI on their own but then find the work too difficult or time-consuming as the sands keep shifting.
When TheaterMania.com's acquirer, the company that funnels purchase transactions into payment networks, started applying more pressure about the increasingly strict payment card security requirements some three or four years ago, the ticketing services vendor decided to beef up its protections by relying on the expertise of in-house employees, says David Stanke, chief technology officer.