Fear factor driving retailers to implement security controls

Credit the TJX breach for pushing PCIm adoption, says Visa USA

The massive data breach at The TJX Companies Inc. made public earlier this year -- and a string of similar smaller breaches at various other firms since then -- appears to be goading merchants to accelerate their adoption of the Payment Card Industry (PCI) data security standard.

As of this month, about 96% of the world's largest businesses that accept credit and debit cards for payment have confirmed that they are no longer storing magnetic stripe information on their systems, according to Visa U.S.A. Inc.

Magnetic stripe data, also known as "track data" in industry parlance, includes the security verification codes on the back of each payment card as well as personal identification number (PIN) data from merchant payment systems. Older retail payment systems often captured and stored this data by default, without the merchants even being aware of that the information was being retained.

Industry analysts believe the storage of such data has made retail systems an attractive target for hackers. The practice is explicitly banned under PCI, which is a data security standard mandated by Visa, MasterCard Worldwide, American Express Co., Discover Financial Services LLC and JCB International Credit Card Co.

Purging track data marks an important step towards full compliance with PCI, said Michael Smith, senior vice president of enterprise risk and compliance at Visa.

"By removing prohibited data from their payment systems, large and small businesses alike are denying hackers the data they covet for use in counterfeiting payment cards and are thus making their businesses and the payments system more secure," Smith said in a statement.

The progress on the track data front comes amid an overall uptick in the adoption of the controls mandated by PCI. According to Visa, so far, about 40% of 327 Level 1 merchants -- those processing more than 6 million transactions per year -- have validated their compliance with the standard. Another 50% have been audited for compliance with the standard and are working to address issues that were identified in those audits. The remaining 10% is still working on their initial compliance assessments.

In December 2006, about 36% out of the 230 merchants then considered to be at Level 1 had validated compliance. Since then, 97 more merchants have been added to that category.

The validated compliance level among Level 2 merchants -- those processing between 1 million and 6 million cards each year -- was 33%, while another 42% have submitted their initial validation requirements, Visa said. The remaining 25% are beginning the validation process. Last December, the number of compliant Level 2 merchants stood at 15%.

Meanwhile, more than 50% of merchants that handle between 20,000 and 1 million e-commerce card transactions per year were compliant with PCI as of July.

Much of the adoption has been driven by fear on the part of merchants that they could become the next major victims of a data breach, said Eduardo Perez, vice president of payment system risk at Visa U.S.A. The "silver lining" to follow the data breaches reported in recent months is that "it has caused other players and merchants in the system to secure their systems," he told Computerworld.

Also helping to boost adoption is Visa's Compliance Acceleration Program, which was announced last December, Perez said.

Under it, Visa offers monetary rewards to "acquiring" financial institutions if their members meet various PCI deadlines. For instance, acquiring banks whose members become fully PCI-compliant by Aug. 31 will be financially rewarded. Visa has already handed out $7 million to acquiring banks whose members met an earlier March 2007 deadline for purging their systems of track data, Perez said.

Acquiring banks are financial institutions that grant retailers and other entities the approval they need to accept credit cards. These banks are contractually responsible for ensuring that merchant members meet PCI requirements.

Under the PCI compliance acceleration program, acquiring banks will also be assessed fines if their members fail to meet certain deadlines. For instance, acquiring banks of the 4% or so of Level 1 merchants who have yet to purge track data from their systems are being assessed fines that increase for each month of noncompliance. Similarly, banks whose members fail to ensure PCI compliance by Sept. 30 will be assessed fines starting at $5,000 a month for each noncompliant merchant. The fines increase to $25,000 per month for each noncompliant merchant after Dec. 31.

"I think the progress is mainly due to the 'fear factor' that a merchant won't end up as the next TJX," said Avivah Litan, an analyst at Stamford, Conn.-based Gartner Inc.

At the same time, there is a considerable amount of frustration among many retailers about what they perceive as changing interpretations of PCI rules by various assessors, Litan said. They are also frustrated by the heavy costs involved in upgrading their point-of-sale systems to ensure that they doesn't store track data.

"So while much progress has been made, still more needs to be done in ensuring consistent and uniform interpretations of PCI rules that balance retailer costs against real threats," Litan said. "The PCI enforcement system is also rife with conflict of interest, where assessors sell security services to their audited clients. This needs to be cleaned up before retailers can have confidence in the fairness of the program."

Copyright © 2007 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon