PCI Pain

To protect against identity theft and security breaches, Visa and MasterCard have joined forces to enact stringent credit-card security requirements The Payment Card Industry Data Security (PCI) standard lists 12 items that companies that collect, maintain, or store credit-card data must adhere to beginning June 30.

The intent of the standard is worthy: to protect companies and consumers alike from security breaches, and to make buyers feel more confident when using credit cards. But merchants contend that the standards are onerous, compliance is costly, and the penalties Draconian.

The PCI standard (see “Racing to make a deadline,” page 14, for details) sets technology requirements such as the use of data encryption, end-user access control, and activity monitoring and logging. It also includes procedural mandates, such as the need to implement formal and documented security policies and vulnerability-management programs.

Visa and MasterCard each had it owns security standards in place prior to December 2004, when PCI was agreed upon: Cardholder Information Security Program (CISP) for the former and Site Data Protection for the latter. All the major credit-card issuers, including American Express, Discover, and Diners Club, have endorsed the new standard.

“By adopting one standard,” says John Verdeschi, vice president of advanced payment solutions group for MasterCard, “we are looking for global adoption of this policy, and that’s to increase data security and consumer confidence.”

And that’s no small task. This year, it seems, data security breaches have been making headlines on a weekly basis. Nor are such breaches a new problem: According to the Federal Trade Commission, 10 million consumers were victims of identity theft in 2003. Industry sources estimate that ID theft costs business and consumers $11 billion annually.

Failure to adhere to PCI will cost merchants plenty too. Visa will fine merchants $500,000 for each occurrence of noncompliance with PCI; as of late May, MasterCard had not announced its penalty fees. Violaters also face the possibility of their merchant bank — the bank that settles its credit-card transactions — taking away their ability to accept credit cards.

A pain in the processor

Although he agrees with the new security standards, Tim Litle, chairman of Chelmsford, MA-based payment processor Litle & Co., admits that readying for PCI’s deadline is going to cause some indigestion for marketers. “The new PCI standards represent an incredible amount of aggravation,” Litle says.

There are three stages to compliance. The first is to conduct a gap analysis, which tells you where your problems and potential security leaks lie. The second stage is remediation — fixing the problem. The third stage is the audit that must be conducted by a certified PCI vendor. MasterCard, for example, lists on its Website about 50 authorized companies, whose audit Visa will accept as well. Audit costs depend on your volume and the number of channels you’re in, but they could run as little as $15,000 to as much as millions.

Making matters more complex, compliance and readiness depend on your level of volume. Merchants that process more than 6 million Visa or MasterCard transactions a year, regardless of channel, are automatically deemed level-one merchants; they have to conduct quarterly network scans as well as an annual on-site security audit in order to meet compliance regulations.

In contrast, level-four merchants are advised to conduct quarterly network scans and annual self-assessments, but they’re not required to, so long as they comply with the 12 other requirements of the PCI standard. Merchants that process fewer than 20,000 Visa or MasterCard transactions online are level-four companies — unless the credit-card firms deem otherwise. Indeed, while PCI has definitions of its four merchant levels, Visa and MasterCard reserve the right to categorize companies as they see fit.

Norwalk, CT-based online marketing services provider Webloyalty.com spent more than $200,000 to become compliant. “It’s an onerous process to get through,” says CEO Rick Fernandes, “but having submitted a report that documents compliance to Visa and MasterCard, I feel like we’re a better company for it. Sort of ‘whatever doesn’t kill us makes us smarter.’”

The report that Webloyalty submitted ran to 150 pages. “We’re already doing a lot of the requirements,” Fernandes says. “The hard part is having the documentation that’s required by Visa and MasterCard. We didn’t have the policies and procedures in writing.” As of late May, Webloyalty, which worked with Litle & Co., was still waiting to receive compliance approval from Visa and MasterCard.

To prepare for the PCI standards, Huntingburg, IN-based bedding and decor merchant Touch of Class replaced two Internet servers and installed a virtual protection network within a new, more sophisticated firewall. The company, which worked with Petaluma, CA-based e-commerce services provider MarketLive, also created a dedicated database to provide extra protection, says Gary Bell, vice president of information technology.

“All customer data will be stored on a dedicated database server behind the firewall,” Bell explains. “Our Web servers visible to our shoppers will access and store customer information on our database server through a secure VPN [virtual private network] controlled by this new firewall.” Touch of Class’s public Web servers are on a special segment of the firewall to allow outside access for Internet browsing, while protecting it from outside threats.The firewall cost Touch of Class $5,400; hiring third-party providers to install and configure the firewall and servers cost another $6,000.

And once a company achieves PCI compliance, that doesn’t mean it can put away its wallet. Regular testing and scanning to guard against data security vulnerabilities by a certified third-party vendor is required. Bell says he has received proposals for routine testing services priced at more than $6,000 annually for routine testing services.

South Whitley, IN-based Stumps, whose catalogs include party supplies and gifts titles Prom & Party, Shindigz, and Celebration Fantastic, started stage one of its compliance efforts — the self-evaluation — in March and finished it last month. “I am totally frustrated with the credit-card companies,” says chief financial officer Jeanice Croy. “While I agree with some of [PCI’s] management policies, I totally disagree with others.”

Specifically, Croy takes issue with the requirement that companies conduct background checks on all employees who handle credit-card information. Stumps hires more than 200 customer service reps a year; at a cost of $40-$60 per background check, “we simply couldn’t afford to do that.” Making matter worse, Croy says, is that she can’t get Visa to answer her questions.

John Shaughnessy, senior vice president, operations and risk management for Visa, says Visa and the acquiring banks (those that a merchant works with to accept credit-card transactions) will work with companies that put forth a good effort to comply. “If the focus is on fines, than we’re not hitting the mark,” he says. “We don’t like to levy fines, but if the situation becomes too egregious we will. I would tell the merchants to continue working toward compliance. The bottom line is consumer data protection in the payment system.”

Ready or not…

When you look at all the elements needed to become PCI compliant, “very few merchants are well prepared on all the fronts,” says Brian Reed, vice president of operations for Mountain View, CA-based CyberSource, an electronic payment services provider. “Some merchants are more prepared than others. Some are very good at protecting the network but they might not be as good at encrypting cardholder data.” As of late May, Reed says, more than 70% of companies were failing compliance on their first test.

And it’s not necessarily the smaller merchants that are least likely to be compliant. “Some of the larger companies that you would think would have good procedures and security standards in place simply don’t,” Reed says. “And some of the smallest companies have very good systems.”

In fact, many companies contacted by Multichannel Merchant weren’t aware of the new requirements coming down the pike or even the risks associated with the new rules. Some, such as Carmel, IN-based Covert Industries, a supplier of industrial signage, are relying on their payment processors to guide them through the new requirements. But given the number of other merchants who are doing the same, depending on the processors to get you compliant may be risky,warns Ken Leonard, CEO of ScanAlert, an online software security provider in Napa, CA.

“Visa and MasterCard have done a poor job in communicating [the PCI standards] to the merchants,” Leonard says. “And part of the reason is that they don’t have a direct relationship with the merchants. Rather, the banks have the relationship with the merchant banks. This is only going to get worse.”

MasterCard’s Verdeschi, for one, refutes this argument, saying it has worked with the acquiring banks and with the merchants on education about PCI.

And despite all the hand-wringing from some companies about PCI, Verdeschi says, “I’m encouraged. We’re making an impact. We are improving the security standards that are being adopted by the major merchants.”

Racing to make a deadline

Below are the dozen items mandated by the Payment Card Industry Data Security (PCI) standard that applies to organizations that collect, maintain, or store credit-card information. The standard goes into effect June 30.

Build and Maintain a Secure Network

Requirement 1: Install and maintain a firewall configuration to protect data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

Requirement 3: Protect stored data
Requirement 4: Encrypt transmission of cardholder data and sensitive information across public networks

Maintain a Vulnerability-Management Program

Requirement 5: Use and regularly update antivirus software
Requirement 6: Develop and maintain secure systems and applications

Implement Strong Access-Control Measures

Requirement 7: Restrict access to data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data

Regularly Monitor and Test Networks

Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes

Maintain an Information Security Policy

Requirement 12: Maintain a policy that addresses information security