The clock is ticking on an effort by the big credit card companies to get Web merchants to tighten up both their data handling policies and their network security.
Whether they know it or not—and according to observers, many don’t—online merchants are facing a June 30 deadline to come into compliance with a unified set of broad data-protection policies adopted last December by Visa, MasterCard, American Express, Discover and their issuing banks. If they don’t comply with these measures, they could face fines of up to $500,000 for each transaction or be permanently kicked out of the card acceptance program.
Despite the fact that these deadlines were announced last year, many of the web merchants covered have not yet put the systems in place to comply with the standards, known collectively as the Payment Card Industry (PCI) Data Security Standard, or have not gotten independent certification of their compliance, as most are required to do.
“We estimate that if an audit were done on PCI compliance today, the majority of U.S. merchants would be about 30% prepared,” says David Glaser, director of professional services for CyberSource, a payment solutions provider.
The PCI data standard replaces similar individual standards promoted for years by the separate card companies, in an apparent effort to encourage a proactive response to the problem of online credit card fraud. (Diner’s Club and JCB Cards are also participating in the effort.) They also interoperate, so that merchants who satisfy one card issuer that their systems are secure and compliant can assume that they are compliant for all the cards. Basically, the standards revolve around twelve specific measures in six areas of security:
* Build and maintain a secure network: Merchants must install and maintain a firewall configuration to protect data. They also may not use vendor-supplied passwords or other default security measures.
* Protect cardholder data: Merchants must protect stored data. They must encrypt transmission of that data and other sensitive information when sending it across public networks.
* Set up a program to manage security weaknesses: This will include using and regularly updating anti-virus software, and developing and maintaining secure systems and applications.
* Establish bullet-proof access control: Access to consumer data must be restricted to those who need to know for business reasons, and each person accessing computer systems must have and use a unique ID. Merchants must also restrict physical access to cardholder data.
* Test and monitor networks regularly: E-commerce sellers will have to track and monitor all access to cardholder data. They will also have to put their security systems and procedures to periodic testing.
* Finally, merchants will have to establish and comply with a set of policies to keep information secure.
All merchants processing their own card transactions will have to comply with these standards. But the card companies and financial institutions have set up a tiered system of requirements for validating that compliance, based on the volume of card transactions a merchant processes. This system makes certifying compliance more rigorous for the high-volume merchants, on the theory that they represent most of the fraudulent transactions. The compliance deadline has already passed for the top rank, clearing more than 6,000,000 transactions a year in any channel, online or off-, on a single card system—for example, Visa. Those merchants have been compelled to submit to an annual on-site security audit and a quarterly network scan, either by their own IT officers or a qualified third party assessor.
Level 2 and 3 are the merchants with the looming June 30, 2005, deadline. Level 2 merchants are those processing 150,000 to 600,000 transactions per year on one of the participating cards. Level 3 are those merchants clearing 20,000 to 150,000 sales on a single card system. Those two groups will need to go through a mandatory annual self-assessment of their compliance and a quarterly network scan, which they can either perform themselves or have done by a qualified independent assessor. The first validation must be done by the end of this coming June.
At the lowest tier, Level 4, are all other merchants processing credit card transactions, either physically or on the Web. These merchants must comply with the PCI standards just like their larger counterparts. But validating that compliance, with an annual self-assessment questionnaire and an annual network scan, is optional—although “strongly recommended” by the credit card companies. Since validation of compliance is voluntary at this level, these smallest merchants don’t face a deadline.
The card issuers won’t reveal how many Level 1 merchants have already met and certified the required security standards. But reports indicate compliance at the top has been high, partly due to the cooperation and persuasive powers of the banks that sponsor the merchants into the card networks.
At the lower levels, the security situation is more complex. “It’s a mixed bag at the moment,” Glaser says. “Most merchants have a concern for the cardholders’ data, so they are making some effort to secure that. Most we see are encrypting that data. But they may not be encrypting it to the levels that are required by the standards. The problem for many may be in the level of compliance, not the process.”
At the small-to-midsized end of the spectrum, the security status quo may be even spottier. “Some merchants have been focused on selling as much as they can, while others have been focused on building a secure environment,” Glaser says. “Especially among smaller merchants, we see a tendency to focus on one thing to the exclusion of other elements.” One particular problem for small merchants may be simply generating and documenting a security policy, and then training personnel to observe it.
Despite the deadlines, the compliance requirements and the stated penalties, it’s still not likely that merchants who can’t certify security will find themselves barred from processing card transactions or facing a whopping fine on July 1, 2005. The card companies have all indicated a willingness to work with the merchants and their sponsoring financial groups, provided they can show a good-faith effort to come into compliance with the PCI standards.
CyberSource and other payment advisors are now working with various merchant clients to bring their systems into line with the PCI. Glaser says one thing he sees is that merchants often don’t know which level of compliance they will be held to. He recommends that merchants with questions about what standards they will need to meet get in touch either with the card issuer or their acquiring bank, whichever they are more accustomed to dealing with.
“If you’re sure you’re going to be compliant by June 30, then go ahead and file the paperwork,” he says. “If you’re not sure, the best thing is to show proactively that you have a plan in place for becoming compliant, with a timeline and deliverable dates. The most important thing to do is to start the work and to register with your banks that you are working on compliance. It may not get you off the hook for a fine or penalty if your system gets breached before you are compliant, but it should keep you from having a card company breathing down your neck until you comply.”
