Big retailers face Sept. 30 data security deadline set by Visa

More than 300 large retailers must be certified as complying with the Payment Card Industry (PCI) Data Security Standard by Sept. 30 or face fines from Visa. The most intense focus is on card data collected in stores, rather than online, because that data can be used to create perfect counterfeit cards, says Avivah Litan of research and consulting firm Gartner.

The Sept. 30 deadline applies to 327 merchants, by Gartner’s count, that each process more than 6 million Visa card transactions a year. That includes both online and offline transactions. The deadline for the roughly 730 Level 2 merchants, which process 1 to 6 million transactions a year, is Dec. 31. Combined, Level 1 and 2 merchants account for nearly two-thirds of Visa volume.

There are another 2,410 Level 3 merchants, which are e-commerce-only retailers that each process at least 20,000 Visa transactions a year. Visa has not announced a compliance deadline for those retailers or for the estimated 6 million small Level 4 retailers.

Visa says it will levy fines of between $5,000 and $25,000 per month for failure to meet the PCI deadlines. Visa fines the merchant banks, which are Visa members, but those banks can be expected to pass on any fines to offending merchants, Litan says.

Visa already has been levying fines for data breaches, for failure to secure the “full track data” that can be used to create counterfeit cards and for failure to submit PCI compliance plans. Visa levied $4.6 million in fines in 2006, up from $3.4 million in 2005.

PCI is a broad set of rules designed to protect cardholder data, whether it’s collected in stores or online. But Visa has particularly focused on storage of the “full track data” collected when a magnetic stripe card is swiped in a store. That data—which includes secret codes not visible on the front or back of the card—is necessary to create counterfeit cards that card issuers would not be able to distinguish from the originals.

Guide to E-Commerce Technology

When that data is captured, issuers typically reissue cards, which they may not do when criminals obtain the data collected by an e-commerce site—such as name, account number and three- or four-digit security code—Litan says. “E-commerce, ironically, is less problematic,” she says.

Visa reported in July that 40% of Level 1 merchants were in compliance with PCI and that another 50% had submitted an initial validation report and were working on correcting deficiencies. Among level 2 merchants, 33% were certified and 42% addressing problems.

Among the level 3 e-commerce merchants, 52% were in compliance and 22% had submitted initial validation reports. Litan notes that many e-commerce merchants outsource their payments processing to vendors that are PCI-compliant, which makes it easier to satisfy the card network rules.

Achieving PCI compliance is difficult for many merchants that have extensive computer networks, many stores and old computer hardware and software, Litan says. “These are very big, complicated systems,” she says. She says few retailers can meet the letter of the law on all of the 12 PCI requirements and that often they have to come up with other defenses that are equally as strong. For instance, if a merchant cannot encrypt all the cardholder data it holds it must surround it with firewalls to prevent unauthorized access to that data.

Gartner says the average Level 1 merchant is spending $125,000 on assessing what it needs to do to achieve PCI compliance and $568,000 on reaching compliance. For Level 2 retailers the assessment costs average $105,000 and compliance $267,000; for Level 3 retailers assessment costs average $44,000 and compliance $81,000. Retailers have little choice but to comply, and the effort is worthwhile, Litan says. “Protecting customer data is less expensive than dealing with a security breach,” Litan wrote in a recent report.

Visa and MasterCard issued the PCI Data Security Standard in 2004 so that there would be a single set of rules for merchants and transaction processors to follow. Three other major payment card brands—American Express, Discover and Japan’s JCB—subsequently have adopted the PCI standard as well.

MasterCard has not disclosed the frequency or amounts of its fines for PCI violations. Its web site lists the following deadlines for initial PCI compliance validation: Level 1 merchants, June 30, 2005; Level 2, Dec. 31, 2008; and Level 3, June 30, 2005. For Level 4, MasterCard encourages retailers to consult their acquirer.