May 12, 2005, 12:00 AM

Web merchants behind in meeting payment security deadline, expert says

As the deadline for implementing data protection standards approaches, the majority of U.S. e-merchants comply with only about 30% of the standards, says David Glaser, director of professional services at CyberSource.

As the June 30 deadline set by MasterCard and Visa for implementing joint data storage protection standards approaches, the majority of U.S. web merchants comply with only about 30% of the standards, says David Glaser, director of professional services at CyberSource Corp.

The combined standards-the Payment Card Industry Data Security Standard, or PCI-outline what steps online merchants must take to protect customers’ confidential data, including credit card account numbers.

Glaser says he bases his “back of the hand” estimates on the experiences of Cybersource’s merchant clients working to implement the standards. The guidelines fall into about 12 different categories and apply to any entity that stores or transmits payments.

“It’s a relatively complex series of tasks to ensure compliance, and some merchants are more prepared than others, and some concentrate more in certain areas than others,” Glaser says. “Some are very good at protecting the network but they might not be as good at encrypting cardholder data. When you look at all the pieces combined, very few merchants are well-prepared on all the fronts that are required.”

The level of preparedness varies across all sizes of merchant, Glaser says. “Some of the larger companies that you would think would have good procedures and security standards in place, simply don’t,” he says. “And some of the smallest companies have very good systems, some don’t. If they’re in start-up mode, sometimes the most important thing is how to take the payment, not how to protect the payment.”

Part of the problem may be poor communications between Visa and MasterCard and their acquiring banks, which in turn are responsible for communicating with their e-merchants, Glaser says. “Merchants are telling us, ‘boy, we didn’t know about this until we read your press release, we didn’t know this until somebody called us to see if we were compliant,’” he says. “It seems like the acquirers aren’t communicating effectively with the merchants in all cases.”

Online retailers that fail to implement PCI could face up to a $500,000 fine or could be permanently barred from accepting MasterCard and Visa cards. However, both bank card associations said they will show leniency to e-merchants that miss the deadline if they are making a good faith effort to comply.

CyberSource is a provider of electronic payment and risk-management solutions.

comments powered by Disqus




From The IR Blog


Paul Dobbins / E-Commerce

6 tips for maintaining sales during the post-holiday lull

Use that stellar email list you built during the holidays to market new products or ...


Jeff Sass / E-Commerce

How brands use domains beyond dot-com to attract shoppers

Amazon, for example, posts holiday ads to