As the announcement of Visa USA’s Sept. 30 deadline for Payment Card Industry Data Security Standard compliance puts the spotlight back on credit card protection worldwide, most Canadian retailers are still not ready, retail industry experts say.
And according to the Visa Canada compliance deadlines, which passed on December 31, 2005, this shouldn’t be the case. Visa Canada is a separate region and Visa USA’s deadlines do not apply to Canadian merchants.
“The deadline for Visa Canada has never changed,” Simon Tang, senior manager of security services at Deloitte and a qualified security assessor for PCI DSS, said. “So, this is still the timeline and everyone has missed the timeline.”
Other credit card company deadlines have also come and gone. The American Express deadline has passed earlier this year. MasterCard’s deadline for level two merchants — those processing more than one million but less than six million MasterCard transactions annually — is set for December 31, 2008. The deadline for all other MasterCard merchants has passed.
Under PCI DSS, all companies that accept credit cards must comply with 12 security requirements, which include maintaining a secure network via firewall, encryption of cardholder data, and strong access control measures. The standard was developed by the major credit card companies in order to standardize credit card data protection. Prior to PCI DSS, each card company had their own set of requirements.
Marty McGinnis, president of retail and manufacturing consultant firm McGinnis and Company Ltd., said the various deadlines are trivial and confusing.
“The issue isn’t how many months you push it back, the issue is how many years you push it back, because that’s the order of magnitude in the changes we’re talking about here,” McGinnis said. “I don’t know of any retailer who knows for sure that they’re compliant.”
Peter Woolford, vice-president of policy development and research at the Retail Council of Canada, said PCI compliance is a complex and daunting task.
“Everything I’ve seen so far indicates that retailers will not be compliant by the end of September,” Woolford said. “I think what card brands are hoping for is that retailers are well along, committed, have a plan, and are executing that plan.”
But McGinnis said that the lack of specificity in the deadline has also been a theme with the PCI DSS guidelines in general, making it difficult for merchants to draft a plan. He said that the clients he’s dealt with have had trouble interpreting the standard. “If you take an organization that’s franchised, for example, you may have one set of obligations at head office and another that are completely different at the store level,” McGinnis said.
While everybody understands the objective of the PCI standards, McGinnis said, retailers are having trouble with the details as well as figuring out whom to ask to understand the standard.
“The PCI standards just sort of came floating through the window, so it really blindsided a lot of people and has become a very significant project for retailers,” McGinnis said. “If this kind of measure had been brought about by a government, we would have voted them out of office.”
Visa Canada, who declined a request for an interview, said in an email to ComputerWorld Canada that it is working with Canadian merchants to ensure broad adherence to the PCI DSS. The email said that Visa Canada recognizes that PCI compliance will require resource and infrastructure investments on the part of merchants and it has put an emphasis on working together with merchants in a collaborative way.
Visa Canada did not indicate whether they have issued penalties for non-compliant retailers, however, no such fines have been published or reported at press time.
Along with Visa USA’s new deadline, the card company said as of October 1, 2007, non-compliant merchants will no longer qualify for the best available tiered interchange rates. It is unknown whether the same penalty will apply to Canadian merchants.