If the impending June 30 PCI Data Security Standard compliance deadline has done anything, it’s been to get companies focused on credit card data protection.
With many retailers yet to implement the standard, card companies such as Visa have said they will ease their demands for full compliance by the deadline. Card companies are limiting their demands to the requirement that retailers prove they have plans to put risk mitigation strategies into place, prior to the June date.
“I think that a lot of companies are attempting to meet it, but at this point, we have not seen full compliance by any means,” Diana Kelley, senior analyst with Burton Group, said. “We may not see full compliance in terms of everybody passing, but part of the PCI DSS is not only going through the process, but also having a plan in place to actually meet it, so I think we’ll see higher numbers in the future.”
The risks of totally neglecting potential security holes could eventually prove costly to retailers. The penalties for failure of compliance or for breach of credit information range from fines of up to US$500,000 to loss of credit card services all together.
“The companies that have been responsible for chasing the compliance have been the acquiring banks that work with retailers and merchants,” Kelley said. “The credit card companies have talked about levying additional fines, but whether Visa is going to go after the retailer remains to be seen.”
Simon Tang, senior manager of security services at Deloitte – a qualified security assessor for PCI DSS – said companies should not worry about deadlines at this point, and instead, focus on enacting plans to get their data security on the right track.
“Their have been so many deadlines and all the credit card companies have their own deadlines as well,” Tang said. “In the end, companies will be looked and negotiated at an individual level and it will really be a case by case basis. Retailers want to assess their gaps and have a plan to remedy them.”
The PCI DSS was developed by the major credit card companies in order to standardize credit card data protection. It sets out 12 basic security requirements, which include maintaining a secure network, encryption of cardholder data, and strong access control measures.
Under PCI DSS, level-one businesses are those that process more than six million transactions per year and are subject to an annual on-site audit and quarterly network scan performed by a PCI qualified assessor. Level-two businesses process between 150,000 to 6,000,000 transactions per year, while level-three merchants range from 20,000 to 150,000.
These levels must fill out an annual self-assessment questionnaire, in addition to having a PCI-approved assessor conduct a network scan.
In December 2006, Visa reported that compliance rates were only at 36 per cent among its level-one merchants and 15 per cent among its level-two merchants. Visa said it focused on these retailers because they account for the majority of Visa transactions.
Tang attributed the low compliance rates to a lack of understanding among many retailers and service providers.
“Identifying scope is probably the most important aspect within PCI and it’s something that companies are having difficulty with,” Tang said. “For example, a system that does not store, process or transmit credit information, may be connected to a system that does handle credit transactions. With a flat network, everything’s connected, and therefore, every system has to be secure, including the ones that don’t involve credit information.”
Kelley said that smaller companies are more likely to find compliance arduous because of unfamiliarity with some of the security techniques. “Something companies have to think about was the granularity and the robustness of their logging and monitoring solutions,” Kelley said.
“So, not only making sure it is robust enough and that they have enough information, but also doing a double check to make sure that those log calls weren’t actually tracking too much information.”