IN PRAISE OF PCI

When the Payment Card Industry Data Security Standards were introduced four years ago, they were received with about as much enthusiasm as a root canal. Most Web merchants would have to admit that PCI-DSS were a necessary evil, but many felt that the standards were onerous, compliance was expensive, and the penalties could be stiff.

Compliance deadlines, tighter enforcement, and high-profile data breaches have inspired a record number of merchants to become compliant with the standards. Still, many Web marketers continue to view PCI-DSS with the same fear and loathing that they did in 2004. They shouldn't — and here's why.

PCI-DSS were developed by the major credit card companies as a guideline to help organizations that process card payments prevent credit-card fraud, hacking, and various other security threats. The standards have evolved since they were first introduced — and they will continue to evolve as new threats arise, security technology improves, and financial institutions scale their enforcement to all merchants, large and small.

Achieving and maintaining PCI-DSS compliance is a critical focus for merchants. Complying with the standards inspires consumer confidence, and saves fees and fines levied by the issuing banks; it also prevents loss.

For merchants, the ROI to become compliant or stay compliant is clear. Following PCI-DSS practices will significantly reduce the risk of a data security breach, and enable quick diagnosis and recovery should a breach occur.

Why does this matter? A breach of security in the environment can damage consumer confidence in the brand. Not only could this hurt sales, it could also drive down stock price or the company's value.

Lack of demonstrated compliance can result in monthly fines — tens of thousands of dollars — and increased transaction fees. A breach can result in extensive liability fines and even lawsuits. Large companies will find the brand erosion, fines, and lawsuits painful; smaller merchants could find them devastating.

Much of the focus has been on merchants becoming PCI compliant, since it can be a major achievement requiring significant investment in some cases. But merchants should be careful not to consider PCI compliance a one-time event.

Filing initial compliance paperwork with a bank or credit card association is the first step in a long, complicated process. PCI compliance is about instilling new habits in a security diet, staying educated on standards and processes, and maintaining an ongoing program that spans your environment and the environment of your service providers.

Keep in mind that consistent, ongoing investment of time and money in PCI compliance is good business. Here are four reasons to embrace PCI-DSS.

• Consumers demand a secure relationship

  Protecting the shopper is the ultimate reason for a merchant to abide by the PCI-DSS standards. While the credit card associations are concerned with controlling losses, merchants should be worried about losing customers. This applies to data security both at the purchase and during the ongoing customer relationship.

  Shoppers expect a safe, secure shopping experience whether shopping in the store, through a call center, or on an e-commerce Website. Online shoppers in particular are savvier than ever and clearly prefer brands and sites that they recognize and trust to protect their sensitive financial information.

  Research shows security certification logos from a trusted security vendor displayed on a merchant Website have an impact on consumer's confidence.

  Why? With the rise of identity theft, consumers are concerned about much more than stolen credit card numbers. By building consumer trust, a safe and secure Website can increase conversion rates, build customer loyalty for repeat purchases, and spread positive news about your brand through word-of-mouth.

  Customer data — shopping history, point-of-sale data and preferences — can help merchants understand who their customers are and the most effective ways to market and merchandise to them. Research shows that customers value and respond to such personalized value propositions.

  But merchants relying on such data must take on the responsibility of ensuring the privacy and security of such data, or their efforts may yield less consumer confidence, not necessarily more results. The more data a merchant holds, the tighter and more comprehensive its security strategies need to be.

  As customer data strategies evolve, so will security strategies. This requires a tight linkage and business planning process between the business and the finance arms of any merchant.