Retailers Fuming Over Card Data Security Rules

Computerworld - BOSTON -- Several retailers last week bristled at having to comply with the Payment Card Industry (PCI) Data Security Standard, complaining that they carry an unfair burden in securing credit card data.

In interviews and speeches at the annual ERIexchange conference here, retail executives also complained that implementing the PCI standard is costly and could alienate customers.

The companies face heavy fines and increased transaction rates if they fail to comply with the PCI standard.

Steve Methvin, director of store systems at Bi-Lo LLC, a Greenville, S.C.-based chain of about 230 grocery stores, called on the credit card companies to do more to make cards secure, such as adding a personal identification number. He claimed that the credit card firms have declined to take such steps in order to avoid complaints from customers.

The responsibility for a safe environment is not mutual, said Methvin, who spoke on a panel at the show. It seems like were being forced to provide an easy experience for Visa and MasterCard at our own expense. Its frustrating.

Retailers are investing money in areas that customers dont care about, added Methvin, who noted that Bi-Lo has so far met all the deadlines for compliance with the rules.

Five Set the Standard

The PCI standard was created by Visa International, MasterCard Worldwide, American Express Co., Discover Financial Services LLC and Tokyo-based JCB Co. to protect credit and debit card data before, during and after transactions.

Ongoing development of the standard is now managed by the PCI Security Standards Council, which the credit card companies set up in September.

The standard specifies a dozen security controls, including encryption, transaction logging and monitoring, along with authentication and access controls. It went into effect in June 2005.

Robert Fort, director of IT at Virgin Entertainment Group Inc. in Los Angeles, said that while the controls are sound, the credit card companies should have worked more closely with retailers to implement them. Much of the PCI standard [includes] good, solid network and security policies, but some of it is over the top and can be confusing, he said.

Fort also contended that meeting the requirements doesnt boost a retailers bottom line. Theres no direct return on investment, he said. It will not help us sell CDs.

The cost of compliance will vary depending on a retailers particular network, its security procedures and its IT infrastructure, Fort said.

Glenn Kriczky, vice president of information systems at Associated Wholesalers Inc., a Robesonia, Pa.-based food cooperative that provides IT services to independent retailers, said that convincing store owners of the benefits of the PCI rules can be difficult.

Its the customer we have to be concerned about, Kriczky said. He added that from the perspective of store owners, data security is only important when something happens.

Bob Russo, general manager of the PCI Security Standards Council, said the standard combines best practices from each of the credit card companies. It tells [retailers] exactly what they need to do to be secure, he said.

Russo also noted that just last month, 14 large organizations, including retailers such as Wal-Mart Stores Inc. and Tesco Stores Ltd., were elected to be the first members of an advisory board to the council.

The board will collect industrywide feedback on the data security standard and suggest changes, officials said.

Read more about Security in Computerworld's Security Topic Center.