Apparently driven by fear of fines, exposure or other repercussions, nearly two-thirds of the largest merchants in the United States by a Sept. 30 deadline validated to Visa Inc. their compliance to the Payment Card Industry Data Security Standard. Among medium-size merchants, compliance grew to 43 percent from 15 percent nine months earlier, Visa said in October.
As of Oct. 1, Visa said it began to levy fines of $25,000 a month on U.S. acquirers (banks or alliances that process payments for merchants) for each Level 1 merchant that had not validated PCI compliance. A Level 1 issuer, as defined by Visa and MasterCard, is one that processes more than 6 million transactions a year. MasterCard hasn't announced fines and didn't return calls for comment. American Express suggested on its Web site that fines are possible.
PCI concerns data on the front and back of every card, explained Bob Russo, PCI Security Standards Council general manager. "The account number, expiration date and the person's name can be stored by a person who takes the card. But if they do decide to store it for whatever business reason, that information has to be encrypted, hashed or truncated. You cannot have that out in the clear," he said. The back magnetic stripe "contains all the authentication codes. That information the merchant can never store; it's just not allowed under the rules of any credit card company."
[PULL_1]The rising incidence of stolen credit card data in the mid-1990s prompted card brands to issue security standards. To eliminate duplicative standards, card competitors in 2004 issued joint rules on the data that merchants can and cannot store, but continued to validate compliance independently. Following one of the largest data security breaches in history--at card processor CardSystems Solutions, which exposed data from more than 40 million credit card accounts of Visa, MasterCard, American Express, Discover and others--card brands required merchants to hire independent auditors to validate adherence to 12 security rules. Those requirements led to the creation in September 2006 of the Payment Card Industry Security Standards Council by five competitors: American Express, Discover, JCB, MasterCard Worldwide and Visa International.
The council's first standard, PCI 1.1, is the Visa and MasterCard security rules, but the council is working on enhancements. The council also took over security assessor certification programs previously run by card issuers. It now certifies two types of compliance assessment firms: qualified security assessors (QSAs), which go onsite to a merchant to validate security procedures, and approved scanning vendors (ASVs), which conduct remote scans. The PCI Web site at press time listed more than 105 QSAs and more than 135 ASVs. Vendors also may opt for self-assessments. Once audited, merchants must send reports to each card company. Compliance and the consequences of noncompliance are determined by each card brand. There is no central database to independently verify specific suppliers' PCI compliance.
The data security rules are good practices that any IT director would find acceptable, Russo said. They concern firewalls, nonreliance on vendor-supplied password defaults, data encryption, information security policy, access control measures and regular vulnerability testing.
But implementing the rules has proven costly and, at times, challenging for merchants. Technology research firm Gartner Inc. estimated that Visa's 327 Level 1 merchants on average spent $125,000 on PCI assessments and $568,000 to achieve compliance, according to Internet Retailer.
Amadeus IT Group said an audit of its data policies, procedures and practices took two years to complete for the equivalent of two full-time employees, plus the services of an independent auditor. "We had a process, but they found gaps," Marcos Isaac, Amadeus director of corporate and distribution channels, said of the audit firm, SRC. The firm tested whether an employee of Amadeus or a provider company could view credit card numbers. "Within Amadeus, nobody can see the credit card number," he added.
"The PCI standards would work for anything, not just credit cards," Russo said. "It's the basis for good security. It goes from the ridiculous to the sublime, from wireless security to physical security" of devices. As the council is owned by the credit card companies, the mandate covers their sector. However, Russo suggested that there's nothing to prevent any organization from using the standards to enhance its own data security. For example, he said Penn State University is requiring all vendors on campus to be PCI-compliant and use the standards internally.
"It doesn't prevent you from taking the standard and applying it to travel agency" profiles or corporate data, Russo said.