Merchants Face Deadline for Data Safety

Computerworld - Companies that manage credit card information have just over a month to comply with new data-protection requirements being pushed by MasterCard International Inc. and Visa U.S.A. Inc. amid growing concerns about identity theft and fraud.

The Payment Card Industry Data Security Standard, or PCI, lists 12 items that retailers, online merchants, data processors and other businesses that handle credit card data will have to start meeting by June 1. The standard sets technology requirements such as the use of data encryption, end-user access control, and activity monitoring and logging. It also includes procedural mandates such as the need to implement formal security policies and vulnerability management programs.

The standard also requires companies to validate their compliance via a PCI-certified assessor either annually or quarterly, depending on their transaction levels. Banks that issue credit cards will be responsible for ensuring that companies comply with PCI and could face up to $500,000 in fines per incident if data is compromised.

The PCI standard aligns and builds on the separate security requirements that both MasterCard and Visa had prior to December 2004, said John Verdeschi, MasterCard's vice president of e-business and emerging technologies. It's designed to offer a common approach for protecting credit card data across both brands, he said.

Other card companies, including American Express Co. and Diners Club International Ltd., have also endorsed the PCI standard, he added.

Complex Requirements

"The good part about the program is that it provides good guidelines and standards of conduct," said Todd Mazurek, vice president of strategic planning at Tickets.com Inc., a Costa Mesa, Calif.-based provider of ticketing services for live events.

But complying with some of the PCI provisions could be difficult for midsize and small merchants, Mazurek warned. One example is the requirement that merchants record and keep track of all activity involving access to information about cardholders.

"That's a lot of information that you need to track," Mazurek said. "Doing that in a manner that doesn't impact your responsiveness is somewhat tricky."

OshKosh B'Gosh Co. is working with the vendor of its point-of-sale software to bring approximately 600 POS systems in 170 stores into compliance with PCI, said Jon Dell'Antonia, CIO at the Oshkosh, Wis.-based clothing retailer.

"It really involves what data you capture and forward when you scan a credit card in stores," Dell'Antonia said. The company is also evaluating what other changes it needs to make to comply fully with the standard, he added.

Jelly Belly Candy Co. is doing a similar evaluation of its Web site operations to see what compliance-related issues it might need to address, said Gary Praegitzer, a security specialist at the Fairfield, Calif.-based candy maker.