6 months after deadline, many e-retailers lag in card data security

Six months after deadline for compliance, a large percentage of online merchants still haven’t complied with the data protection rules of MasterCard International, Visa U.S.A., American Express Co. and other major card brands, according to Protegrity Corp., a data security company.

In a recent survey of 150 online retailers, 26% of merchants said they hadn’t started the compliance process for the Payment Card Industry Data Security Standard despite a June 1, 2005, deadline set by Visa. In addition, 19% said they were just beginning the compliance process and 30% said they were in the middle of the assessment process needed to verify compliance.

Only 3% of the online retailers responding to the survey said they had passed both the assessment and external scan needed to verify compliance, while 19% said they failed the assessment and were taking steps to comply with the PCI standards.

Although the survey didn’t ask merchants why they were slow to comply with the data protection standards, many of the retailers indicated they didn’t believe Visa and MasterCard would enforce the standards, says Paul Giardina, Protegrity vice president of marketing. “A lot of them didn’t think Visa and MasterCard were going to follow up,” Giardina says.

Visa and MasterCard were unavailable for comment.

However, retailers began to work towards compliance after Visa and American Express in October cut ties with CardSystems Solutions Inc., a card processor that failed to meet PCI standards, exposing confidential data on 40 million cardholder accounts, Giardina says.

The PCI standards outline what steps online merchants must take to protect customers’ confidential data, including credit card account numbers. Retailers that fail to implement PCI could face up to a $500,000 fine or could be permanently barred from accepting credit cards.