Referring to the Payment Card Industry Data Security Standard (PCI DSS), Bob Russo, general manager with the PCI Security Standards Council (Wakefield, Mass.), says, "When it comes to card security, you can't have a conversation without PCI coming up."The set of rules provides merchants, banks and third-party processors with guidelines for the safe handling of customers' credit card information. Businesses that do not adhere to the standards can end up suffering a data breach.
According to Russo, however, organizations that neglect the PCI procedures gradually are becoming a thing of the past as more and more realize the value of securing customer information -- and the ramifications if they don't. "People are doing a better job at convincing upper management that PCI is more than an insurance policy," says Russo. "There's real ROI to this when you think of the brand damage, remediation costs and the possibility of losing customers if a breach does occur."
Compliance definitely is trending upward, certainly among large and midsize merchants. Figures recently released from Visa (San Francisco) show that 65 percent of the largest merchants have validated their compliance to the PCI DSS, up from 36 percent in December 2006. Midsize merchants are complying, too, with 43 percent now in compliance compared with just 15 percent at the end of 2006.
"Plus, another 33 percent are on the road to compliance," adds Russo. "This means they're already submitting their compliance plans. But remember: The larger merchants are using legacy systems, so it's more difficult to properly retrofit these systems for security. It will take a while."
Smaller merchants, on the other hand, often lack the resources to properly comply with a program such as PCI DSS. "It's an education issue," comments Russo. "We're always doing outreach to these merchants. ... The card brands and acquirers are always sending literature about PCI in their statements to small merchants, but you can't force them to read it."
Still, it is more important than ever for small entrepreneurs to consider data security when launching a business. "For small businesses, compliance is more draconian should you suffer a breach," Russo notes. "There are fines, remediation costs, and then you have to submit to a full-blown audit. ... And who knows how many customers you'll lose?"
Meanwhile, PCI standards are getting tougher. Card companies such as Visa began to strictly enforce compliance to the standard last year, levying fines when necessary. Additionally, different aspects of the payments chain also are now subject to compliance audits. For example, Visa launched a program called Payment Application Best Practices (PABP) in which payments applications are subject to audit. This standard is forming the basis of the PCI Council's new PA DSS standard, according to Russo, who says the Council is due to take over the PABP from Visa this month. "We're going to qualify the assessors, train them, make sure they have the experience to do these audits," he relates. "We're also going to list the applications that have passed compliance."
Further, the Council assumed control over the Payment Entry Device (PED) Security Requirements that were developed by JCB (Tokyo), MasterCard (Purchase, N.Y.) and Visa. The PED standard applies to hardware, such as PIN pads, at the point of sale.
"A year ago, I was hearing 'Why do I have to do this?'" Russo comments. "Now I hear, 'How do I do this quickly?'"