Retailers face myriad issues complying with payment security standards

While retailers face increasing pressure to comply with the payment card industry’s data security standards to protect customer account data, compliance still varies widely, according to retailers and security analysts.

“Most companies don’t want to spend money on security,” says Avivah Litan, security technology expert at research and advisory firm Gartner Inc. “They’d rather spend it on revenue-generating projects.”

A recent Gartner survey of 50 retailers found that only one-third of the largest merchants—those identified by credit card companies as Tier 1, or processing more than 6 million payment card transactions per year—were compliant with payment card industry standards. “That’s certainly well below what it should be,” Litan says.

The level of difficulty in implementing the standards varies based on a retailer’s extent of operations and whether it sells through a single channel or multiple ones. “99% of this is common-sense stuff that retailers should have in place already,” says Robin Bonin, IT director for Golfballs.com Inc.

Golfballs.com, which sells mostly online but operates one store and is No. 459 in the Internet Retailer Top 500 Guide, complies with the payment industry standards and took extra steps to fix security holes in its data networks during a recent site re-design, Bonin says.

Other retailers find compliance more difficult. Most merchants prefer not to discuss payment security issues publicly, but Mallory Duncan, senior vice president and general counsel of the National Retail Federation, a trade group which represents large retailers, says many merchants still find it hard to keep up with updated software and other requirements of compliance. “Retailers are getting closer in line, but it’s a challenge,” he says.

Indeed, the 12 standards outlined in the payment card industry data security standards, commonly known as PCI DSS, actually amount to more than 200 points that retailers may have to address, he adds. As a result, many retailers leave security standards compliance on their to-do lists.

Payment security is one of the topics at the Internet Retailer Conference & Exhibition, June 4-7 in San Jose, in a workshop June 4, Managing E-Payments and Web Security.

Bonin’s colleague Tom Cox is speaking at the Internet Retailer Conference & Exhibition, June 4-7 in San Jose in a session entitled Hidden Gold: The Small Retailer’s Quest for Talent.