With Visa U.S.A. Inc.'s first hard deadline for compliance with the Payment Card Industry's (PCI) Data Security Standard (DSS) just weeks away, merchants are ramping up efforts to get their houses in order. The question remains: Will Visa catch those who fail to get into line?
"There is a scramble going, and people are starting to take it seriously based on the financial repercussions," said Khalid Kark, an analyst at Forrester Research Inc. in Cambridge, Mass. "Over the last six months we've been getting a lot of questions and concerns about what merchants need to do and who they need to talk to. They're just so far behind the curve."
The PCI DSS is a set of policies and procedures established by the credit card industry aimed at securing transactions and cardholders' personal information. The standards were set by the industry in 2004, but experts say the extent of compliance by merchants has been spotty due to a lack of hard consequences for noncompliance. Previously, credit card companies assessed only fines for data breaches.
Visa changed all that when it announced a compliance acceleration program last December aimed at larger retailers. It set a Sept. 30 deadline for compliance aimed at level one merchants, those that process more than 6 million credit card transactions per year. Level two merchants, which process between 1 million and 6 million transactions annually, must be compliant by Dec. 31.
Noncompliant merchants will face monthly fines and be charged higher commissions on transactions.
"More than 50% of the companies I've talked to need to be compliant by December, and they may not be. It becomes a question of how soon Visa is able to catch them," Kark said.
Avivah Litan, vice president and research director at Gartner Inc. in Stamford, Conn., said, "Mainly, the Tier 1 companies that are not compliant are furiously trying to get to the point where they can pass the test."
Litan said these largest Tier 1 and Tier 2 retailers, estimated to number about 1,200, will definitely be noticed if they are not compliant.
"They have their radar very attuned to level one merchants," Litan said. "They will watch very carefully and will know exactly which companies are compliant and which aren't."
The deadline has generated a lot of business for vendors that offer technologies that help merchants achieve compliance.
"We've seen a lot of traction in the PCI market, given some of the impending deadlines coming up," said Bob Vieraitis, vice president of marketing at Solidcore Systems Inc., a Cupertino, Calif.-based vendor of change control software for point-of-sale technology and other critical systems.
Vieraitis said there will certainly be merchants paying fines for noncompliance. "With just a few weeks to go there are going to be companies who will pay fines for awhile," he said. "There will be companies negotiating with Visa on those fines.
"We're seeing a lot of activity in the marketplace, both from customers requesting literature, demos and meetings, but also just the amount of noise in the market," Vieraitis said. "There are 100 other vendors out there, and it makes it hard for organizations to sort out that mix of vendors. Vendors claim they can do everything for PCI, but that's rarely the case. No one can solve every requirement of PCI."
Dave Anderson, senior manager of product marketing at ArcSight Inc., a Cupertino, Calif.-based vendor of security and compliance management technology, said, "A lot of retailers are still struggling at getting the right point technologies into place. They're looking for the best value for the September deadline. They're looking for monitoring technology across the board. They may not have encryption in place yet, but they want to be able to monitor data across the board and make sure no one is accessing that data inappropriately."
Litan said Visa is focusing its stepped-up enforcement on the largest merchants because they account for about 80% of transactions. However, there are millions of smaller merchants flying under the radar.
With just a few weeks to go there are going to be companies who will pay fines for awhile. There will be companies negotiating with Visa on those fines.
Bob Vieraitis, vice president of marketing, Solidcore Systems Inc.
"Level three and four, they don't even have systematic reporting for those merchants yet. If you look at the number of merchants, almost 6 million are level four [retailers that process fewer than 20,000 transactions annually]. The banks and credit card companies, they just don't have the resources to follow the compliance efforts of anyone other than the top merchants.
"On the other hand, 80% of the fraud incidents happen at the smaller retailers, but that's not where the big-dollar fraud losses are," Litan said. "You aren't going to find a TJX-scope breach at a small merchant. Certainly small companies have a moral obligation to protect customer data privacy. But if there's a breach [at a small company] it's likely no one will ever hear about it. If someone steals 100 credit card numbers, probably no one will hear about it."
Some might argue that the horror stories of data breaches should be enough motivation for retailers to comply with PCI DSS. Just weeks after Visa announced the deadlines of its compliance acceleration program in December 2006, The TJX Companies Inc., the Framingham, Mass.-based retail giant revealed that hackers had broken into its systems and stolen 45 million customer records. Last month the company revealed that it has spent $256 million dealing with the breach.
"When I talk to tier three and tier four retailers, they're about at the same level of compliance [as larger companies]," Kark said. "One, because their environments aren't usually that complicated. And they have a lot more at stake if they have a breach. It affects a more significant portion of their revenues. They want to make sure they're doing the best they can in terms of protecting their data."
Vieraitis said, "The TJX example -- they have a number of class action suits against them. No one wants that to happen to them. Even if you weren't worried about fines, if you are PCI-compliant and something happens with the data, at least you can say you were implementing the best practices at the time. If you haven't [done due diligence] and you have a PCI data breach, then you are completely exposed."
Let us know what you think about the story; email firstname.lastname@example.org.