IN PRAISE OF PCI

Mar 01, 2008 10:30 PM  By

When the Payment Card Industry Data Security Standards were introduced four years ago, they were received with about as much enthusiasm as a root canal. Most Web merchants would have to admit that PCI-DSS were a necessary evil, but many felt that the standards were onerous, compliance was expensive, and the penalties could be stiff.

Compliance deadlines, tighter enforcement, and high-profile data breaches have inspired a record number of merchants to become compliant with the standards. Still, many Web marketers continue to view PCI-DSS with the same fear and loathing that they did in 2004. They shouldn’t — and here’s why.

PCI-DSS were developed by the major credit card companies as a guideline to help organizations that process card payments prevent credit-card fraud, hacking, and various other security threats. The standards have evolved since they were first introduced — and they will continue to evolve as new threats arise, security technology improves, and financial institutions scale their enforcement to all merchants, large and small.

Achieving and maintaining PCI-DSS compliance is a critical focus for merchants. Complying with the standards inspires consumer confidence, and saves fees and fines levied by the issuing banks; it also prevents loss.

For merchants, the ROI to become compliant or stay compliant is clear. Following PCI-DSS practices will significantly reduce the risk of a data security breach, and enable quick diagnosis and recovery should a breach occur.

Why does this matter? A breach of security in the environment can damage consumer confidence in the brand. Not only could this hurt sales, it could also drive down stock price or the company’s value.

Lack of demonstrated compliance can result in monthly fines — tens of thousands of dollars — and increased transaction fees. A breach can result in extensive liability fines and even lawsuits. Large companies will find the brand erosion, fines, and lawsuits painful; smaller merchants could find them devastating.

Much of the focus has been on merchants becoming PCI compliant, since it can be a major achievement requiring significant investment in some cases. But merchants should be careful not to consider PCI compliance a one-time event.

Filing initial compliance paperwork with a bank or credit card association is the first step in a long, complicated process. PCI compliance is about instilling new habits in a security diet, staying educated on standards and processes, and maintaining an ongoing program that spans your environment and the environment of your service providers.

Keep in mind that consistent, ongoing investment of time and money in PCI compliance is good business. Here are four reasons to embrace PCI-DSS.

  • Consumers demand a secure relationship

    Protecting the shopper is the ultimate reason for a merchant to abide by the PCI-DSS standards. While the credit card associations are concerned with controlling losses, merchants should be worried about losing customers. This applies to data security both at the purchase and during the ongoing customer relationship.

    Shoppers expect a safe, secure shopping experience whether shopping in the store, through a call center, or on an e-commerce Website. Online shoppers in particular are savvier than ever and clearly prefer brands and sites that they recognize and trust to protect their sensitive financial information.

    Research shows security certification logos from a trusted security vendor displayed on a merchant Website have an impact on consumer’s confidence.

    Why? With the rise of identity theft, consumers are concerned about much more than stolen credit card numbers. By building consumer trust, a safe and secure Website can increase conversion rates, build customer loyalty for repeat purchases, and spread positive news about your brand through word-of-mouth.

    Customer data — shopping history, point-of-sale data and preferences — can help merchants understand who their customers are and the most effective ways to market and merchandise to them. Research shows that customers value and respond to such personalized value propositions.

    But merchants relying on such data must take on the responsibility of ensuring the privacy and security of such data, or their efforts may yield less consumer confidence, not necessarily more results. The more data a merchant holds, the tighter and more comprehensive its security strategies need to be.

    As customer data strategies evolve, so will security strategies. This requires a tight linkage and business planning process between the business and the finance arms of any merchant.

  • Hackers will get smarter and PCI-DSS standards will change to combat them

    The war between hackers and merchants will continue. Hackers will find new ways to penetrate Websites or network environments, and security hardware and software will fight back. The PCI-DSS will evolve to ensure merchants are doing everything they can to protect data and reduce losses.

    As an example, a new requirement goes into effect in June stating that merchants must either have an application firewall for all Web applications or regularly review all custom application code. Expect additions like this on an ongoing basis as technologies such as network architectures, data encryption, access control, and forensic tools improve. This will mean merchants must continually invest in programs, technology, people, and processes to stay up to date.

  • Technology and service providers are constantly adapting

    Your responsibility to demonstrate compliance to PCI-DSS includes validating security within your own walls as well as proving that any outside service providers that are handling credit card transactions or sensitive customer data meet the standards.

    Expect and plan for updates from providers delivering technology “on-premise” or those that are hosting for you. Proactively work with providers to understand their PCI-DSS related plans, releases and upgrades.

    The technology environment of the multichannel merchant is particularly complex, requiring secure environments, data flows and processes to be considered between online and offline systems and the varying points of integration between them.

    Understand what levels of certification they are providing, and which to include in the compliance paperwork. Budget and plan accordingly to not only to stay in compliance, but also to have the most up-to-date and most secure releases.

    This requires a tight linkage and business planning process between IT or risk management and the finance arms of any merchant. Small investments in technology upgrades can help avoid big PR problems or fines later.

  • Laws based on PCI standards are in discussions

    Consumer data security is not only a concern of the credit card associations and banks, but it is also on the radar of state and federal legislators. Minnesota has already passed a law holding Minnesota-based merchants legally accountable for data security based on PCI-DSS.

    A law California passed unanimously in the State Assembly and State Senate but was vetoed by Governor Arnold Schwarzenegger. The bill was driven through large consumer support and is expected to be raised as an issue again. Texas also had legislation in process, but it, too, was rejected.

    While merchants in these states are off the hook for now, expect this issue to continue to surface at state and federal levels as concerns over consumer security rise.

Merchants should view PCI-DSS compliance and re-compliance as a priority to protect the brand, raise consumer confidence, and control long-term costs. Successful Web marketers are integrating PCI compliance into an ongoing business plan.

What’s more, savvy online merchants are being proactive in making data security an issue critical to growth, competitive advantage, and financial stability.


Tiffany Riley is senior vice president of marketing at MarketLive (www.mmlive.com), a Petaluma, CA-based provider of e-commerce technology and services.

5 steps for PCI compliance


Payment Card Industry Data Security Standards are here to stay: These standards will only grow in relevance and importance. PCI compliance is a complex topic with many nuances, requiring attention and focus. Companies can follow these simple steps to truly make consumer data security policies and PCI compliance less of a fad diet and more of a way of life.

  1. Assign an organizational owner. It does not matter where this person resides organizationally, but someone in your company needs to worry about customer data security and the latest PCI standards and compliance requirements.
  2. Get educated. Learn all about today’s standards and how those standards might be changing based on your business and your customer data strategies. Compliance will mean different strategies for different vendors. There is no one-size-fits-all program.
  3. Educate your company across all functions. The organizational owner will need to help educate everyone involved in customer data and security strategies — IT, marketing, merchandising, finance, and anyone involved with customer data. Additionally, and even more important, ensure C-Level executives are educated on the compliance and the brand related benefits of continually investing in PCI-DSS compliance.
  4. Create, maintain, and update a documented security business strategy and PCI compliance program within your organization, complete with metrics.
  5. Budget each year for ongoing enhancements to online and offline stores, hardware, software, and network environments, whether these environments are self-maintained or are managed by a service provider.
    TR