New PCI data security rules coming in 2010 and threats of fines loom over web retailers
by Don Davis
Mark Wilson thinks it's important to guard his customers' credit card numbers. But without an information technology specialist at his small online retail business, Night-Gear Inc., he had about given up on achieving compliance with the PCI security standards designed to protect cardholder data.
After months of notices from a security service that his site did not meet the requirements of the Payment Card Industry Data Security Standard—notices he struggled to comprehend—Wilson was prepared to go on paying the small monthly fines his processor assesses non-compliant merchants.
Then he received an e-mail saying his site had passed the PCI scanning test.
"It was a bizarre," Wilson says. "We get this congratulatory letter saying, 'You've done it.' Well, what have we done?"
A major challenge
Wilson's far from the only small merchant who's confused. In a recent survey by the National Retail Federation, 19% of non-compliant smaller merchants said they didn't understand PCI and another 26% said they lacked the financial or technical resources to meet the standard, which covers a dozen broad areas from physical and network security to protecting cardholder data and maintaining information security policies. PCI applies to online and offline retailers alike.
The same survey also showed 86% of the retailers felt at least somewhat familiar with PCI. That's a significant increase from the recent past when small merchants largely ignored PCI, and stems from processors starting to impose fines on smaller non-compliant merchants or at least threaten them, says David Taylor, founder of PCI KnowledgeBase, a PCI research community.
But it's not just small merchants paying more attention to PCI. The data security rules keep changing, imposing new requirements on retailers, their payment processors and software providers. One change taking effect next year will affect all retailers, and a second, larger merchants.
The first requires all payment software that handles cardholder data to comply with a subset of PCI, the Payment Application Data Security Standard. The second, a rule imposed by MasterCard that will affect virtually all card-accepting merchants, requires certain larger merchants—those in Level 2 in PCI's four-category schema—to use outside auditors for annual inspections, adding to the cost of PCI compliance.
Since few retailers are experts in the complex rules of PCI, the new rules and stricter enforcement means merchants will be relying more heavily on technology vendors for help with PCI. Wilson's experience suggests that can be a daunting prospect.
Man in the middle
Night-Gear's saga began last fall when its processor, the CardService International unit of First Data Corp., added a $119.75 annual PCI compliance fee to its September bill and told Wilson that fee included a year's worth of quarterly vulnerability scanning of Night-Gear's Internet-facing network, a requirement of PCI.
Wilson signed up for the free scans from vendor SecurityMetrics, and began receiving reports showing vulnerabilities in his site, which sells reflective apparel and lights for night-time activities. But Wilson couldn't understand the technical terminology in the reports or the explanations from SecurityMetrics' help desk. "It was geek to me," he jokes.
He turned for help to his web hosting company, IntuitSolutions, which told him that the flaws SecurityMetrics pointed out were not vulnerabilities, but standard features of the ProStores e-commerce platform Night-Gear uses. Feeling caught in the middle of three vendors, Wilson felt it was easier to pay the $19.95 monthly fine that CardService started charging last November than to pay experts to help him become PCI-compliant.
Then he got the notice that he was compliant. As far as Wilson knew, nothing had changed. But that may not be the case, says Wenlock Free, vice president of business development at SecurityMetrics.
Free says often when a company like his begins noting flaws, clients complain to the hosting company, which makes changes, some of them minor, to bring a system into compliance. IntuitSolutions, the web hosting company, declines to comment.
More to come
SecurityMetrics provides PCI-related services to 250,000 merchants, and Free says banks have provided SecurityMetrics with information on another 1.2 million merchants, a sign more acquirers—the payment processors affiliated with banks that sponsor retailers into the Visa and MasterCard networks—will be mandating merchant compliance with PCI in coming years.
In a similar deal, First National Merchant Solutions, the merchant-acquiring arm of First National Bank of Omaha, announced last month that security company Trustwave would provide PCI scanning to First National retailers.
One merchant already using Trustwave for PCI scanning is Dave Taylor (no relation to the PCI expert of the same name), owner of online beef jerky retailer JerkyNet.com. Taylor says it took him less than a half hour to fill out the online Trustwave questionnaire about his security policies. That annual questionnaire and quarterly network scans are all that's required of smaller merchants to comply with PCI. Taylor says he pays Trustwave about $140 a year for the service.
Retailers like Wilson and Taylor fall into the Level 4 category of PCI, which encompasses smaller merchants that process no more than 20,000 e-commerce transactions or 1 million total transactions in a year. It's only been in the past year or so that banks and processors have started putting pressure on those merchants to fall in line with PCI.
But for larger merchants the mandates began to hit in 2005. Since then, vendors have introduced technology designed to minimize the cost of complying with PCI.
Don't hold data
PCI experts say one of the best ways for a retailer to reduce PCI compliance costs is to not hold cardholder data, because only retailer systems—networks, servers, databases and software—that hold cardholder data fall under PCI. No card data in a customer history database, for instance, means that database is excluded from PCI audits.
That's the approach Dreams Inc. has taken with its FansEdge.com e-commerce business that sells team sports apparel. All payment card numbers are stored by the e-retailer's payment processor, PayPal, says Mano Sivashanmugam, chief information officer at Dreams Inc.
That forced FansEdge, a Level 2 retailer, to change some processes. For instance, even returning customers who log into the site have to reenter a credit card number at checkout because FansEdge does not retain the number. Similarly, a customer who calls about a purchase will have to provide the card number again—and agents are trained to explain that the retailer does not keep the card number to protect customer privacy, Sivashanmugam says.
"That was a big change within our web site and customer service procedures," he says. "We need to message in a way that our customers understand, and we're not hearing concerns from customers." The retailer retains a unique reference number for each transaction.
Another technique called tokenization is gaining popularity as a way for retailers to ensure they hold no credit or debit card numbers. Card numbers are automatically converted into a code, or token, which the retailer retains; its technology provider keeps the actual card number in encrypted form.
Tokenization
Consumer electronics manufacturer Pioneer Electronics (USA) Inc. is using tokenization technology from Paymetric Inc. to protect card numbers of customers purchasing at its e-commerce site, PioneerElectronics.com. Kevin Erlandson, director of applications at Pioneer, says he feels more secure because even if someone were to break into Pioneer's network all they would get would be meaningless codes, not actual card numbers.
To get card numbers, he says, they would have to break into Paymetric's system and crack the encryption code, "a pretty unlikely scenario." While he wouldn't say how much the service costs, Erlandson says it was easily justified.
PCI poses a special challenge for retailers that develop their own software because that code must go through a rigorous review—unless it is protected by a firewall dedicated to that software.
Online auto parts retailer AutoAnything.com, which develops its own software and frequently updates it, has installed a WebDefend firewall from Breach Security Inc., which sits in front of the retailer's e-commerce application, monitoring data flowing in and out.
Not only does it help AutoAnything meet PCI requirements, but the retailer's network is protected continuously against possible hacker attacks by a company that specializes in network security, says Parag Patel, the e-retailer's chief technology officer. The software cost about $20,000, with an annual maintenance fee of about $1,200, Patel says.
While retailers can benefit from such vendor technology, they also must ensure their vendors meet PCI requirements. That's particularly an issue now that the July 2010 deadline looms for payment software to be PCI-compliant.
A bit nervous
That has Jim Poulin, chief technology officer at multichannel retailer Gardener's Supply, nervous about his Controller Plus order management software from Sigma-Micro. While the vendor says the software will be certified as compliant by the deadline, Poulin says, "If not, what does that mean for me?"
Sigma-Micro will meet the deadline, but it has a lot of work to do because two-thirds of the companies using Controller Plus have customized it over the more than two decades the software has been on the market, says Gerry Bailey, vice president of product development. That means each piece of customized software has to be upgraded and certified individually, Bailey says.
He says the certification process will cost Sigma-Micro $175,000-$200,000. Whether the vendor will charge a retailer for the changes will depend on the amount of work that client's software requires and whether the retailer has a current software maintenance agreement.
Retailers should be aware of the high cost vendors face to certify software, because they may try to pass on those costs, says Taylor of PCI KnowledgeBase. He encourages retailers, when signing software contracts, to demand guarantees that the vendor will maintain the software as PCI-compliant without extra fees.
Poulin, a level 3 retailer, also is aware that level 2 retailers will have to bring in outside PCI auditors as of the end of 2010, under the new MasterCard rule. Taylor says hiring outside auditors can cost $10,000-$30,000 per year for a merchant already PCI-compliant and more for a retailer meeting the standard for the first time.
One way to avoid reaching the level 2 threshold of processing 1 million Visa or MasterCard transactions a year is to add alternative payment methods, such as PayPal, that would reduce the number of card transactions.
"We've talked about that. If you could push 20% of transactions to those payment methods, that does take the pressure off of getting to level 2," Poulin says. But Poulin says his company hasn't adopted that strategy yet because it's not that close to reaching Level 2.
Surely, Visa and MasterCard didn't intend for PCI to drive merchants away from their brands. But as PCI compliance becomes more complex and expensive, retailers are sure to consider every possible way to ease the burden.
don@verticalwebmedia.com
Click Here for the Payment Security Products & Services Guide.
