Pressure mounts for retailers to comply with payment card data security standards
By Paul Demery

For six years, credit card companies have been threatening retailers with fines and loss of credit card status if they don’t comply with the payment card industry data security standards. And retailers have been routinely ignoring them.

Now that might be changing. The card companies recently upped their fines to as much as $25,000 a month for large merchants who don’t comply with the standards. And high profile data breaches, such as the one that TJX Companies Inc. discovered in January, are raising consumers’ awareness that their payment data might not be secure—to the point that they might stop shopping at retailers where they perceive a threat.

A clear message
Retailers are getting a clear message from merchant banks, credit card companies and consumers that they need to get on board with security standards designed to protect credit card account and other data in consumer databases. The goal is to prevent the kind of theft that occurred at TJX, where criminals broke into computer systems in 2005 and 2006 and stole customer information from a network that handles credit card, debit card, check and merchandise-returns transactions.

Card companies say retailers can avoid data breaches like that by implementing the payment card industry data security standards, or PCI-DSS, as they’re known in the payment industry. The standards are comprised of 12 general requirements for such actions as assuring that networks have updated security patches from software vendors, not storing sensitive customer data, and deploying software applications that encrypt the customer data that they do store in databases.

It may be true that complying with payment security standards will prevent such data breaches, but doing so is not easy—and online retailers face many other pressing issues. “Most companies don’t want to spend money on security,” says Avivah Litan, a security technology expert at research and advisory firm Gartner Inc. “They’d rather spend it on revenue-generating projects.”

A recent Gartner survey of 50 retailers found that only one-third of the largest merchants—those identified by credit card companies as Tier 1, or processing more than 6 million payment card transactions per year—were compliant with payment card industry standards. “That’s certainly well below what it should be,” Litan says.

The difficulty of implementing the standards varies based on a retailer’s extent of operations and whether it sells through a single channel or multiple ones. “99% of this is common-sense stuff that retailers should have in place already,” says Robin Bonin, IT director for Golfballs.com Inc.

Golfballs.com, which sells mostly online but operates one store, complies with the payment industry standards and took extra steps to fix security holes in its data networks during a recent site re-design, Bonin says.

Hundreds of security issues
Other retailers find compliance more difficult. Most merchants prefer not to discuss payment security issues publicly, but Mallory Duncan, senior vice president and general counsel of the National Retail Federation, a trade group which represents large retailers, says many merchants find it hard to keep up with updated software and other requirements of compliance. “Retailers are getting closer in line, but it’s a challenge,” he says.

Indeed, the 12 standards actually amount to more than 200 points that retailers may have to address, he adds. As a result, many retailers leave security standards compliance on their to-do lists.

Many retailers who have not experienced data breaches apparently operate under a false sense of security that their customer records are safe, Litan and other experts say. Such retailers wait until a highly publicized attack occurs at another retailer or until a merchant bank warns the retailer that it could get fined if it doesn’t get up to par with security, they say.

The unintended build-up
Retailers typically keep customer account data including name, billing address, credit card expiration date and card identification number—the 3- or 4-digit number that identifies a plastic card itself aside from the card account number. Criminals can use all of those elements to make fraudulent transactions.

But instead of deleting transaction data after getting payment authorization and settlement from participating banks, some retailers hold it. “So they build up a huge repository of customer transaction data that can get hacked if not properly protected,” says John Bingham, director of the technology risk practice at Protiviti Inc., a company that conducts tests of retailers’ compliance with the card industry standards.

The risk is heightened when retailers store full-track data, or the information contained in the magnetic stripe on payment cards, which includes enough account information to create duplicate cards. “If there’s a golden rule, it’s: Don’t store track data,” says Rob Tourt, vice president of network services for Discover Financial Services LLC, which issues and handles transaction processing for the Discover Card, one of the sponsors of the data security standards.

But many retailers don’t even realize they’re storing track data, often because their store point-of-sale systems are improperly designed to automatically record it in a database. “Unfortunately, merchants who are victims of database hacking often store track data without knowing it,” Tourt says.

At the same time, criminals continue to develop more sophisticated methods of cracking into and stealing that data—creating demand for more sophisticated security technology and policies.

Weighing the costs
The cost of implementing PCI standards depends on such factors as the volume of transactions a merchant handles; the state of a merchant’s infrastructure of computer databases, networks and security software; and its policies. A smaller merchant might spend $120,000 to get outfitted with data encryption software and other basic security tools, while a Level 1 merchant could spend $700,000, Litan says. But that’s just for security-related tools themselves, she adds. The cost of updating overall technology systems to comply with payment data security standards can run into millions of dollars, experts say, when new software systems require new and more robust hardware to run them.

Still, the overall cost of complying with PCI standards can be less than the cost of a security breach in terms of damage to a retailer’s brand, lost customers and a decline in sales, Litan adds.

A recent Gartner study found that the cost of security breaches can outweigh the cost of becoming compliant with security standards. When factoring in legal fees, fines, data recovery efforts, and losses in sales and market value, Gartner figures the costs of a major data security breach can run as high as $90 per customer record.

That equals more than five times the cost of implementing a comprehensive security system including data encryption, network intrusion-prevention, and regular system audits, which Gartner figures at $16 per customer record.

The PCI Security Standards Council, an organization founded by Visa, MasterCard International, Discover Financial Services, JCB International Credit Card Co. and American Express Co., provides a list of security assessment providers at PCISecurityStandards.org.

Keeping customers
Pressure is now coming not just from the credit card companies who are attempting to enforce the standards, but also from consumer awareness of the vulnerability of data. In a recent survey of 2,000 consumers by the Chief Marketing Officers Council, 40% of respondents said they had aborted a planned purchase either online or in a store because of concerns about the security of their personal data. In the same survey, 50% of respondents indicated they would avoid buying from a company whose customer databases had been hacked.

If consumer attitudes and the fear of public shame aren’t enough to sway technology plans, the credit card companies have implemented a new schedule of fines for security breaches. Visa U.S.A., for example, will fine merchant acquirers from $5,000 to $25,000 a month for each Level 1 or Level 2 (1-6 million transactions per year) merchant that is not compliant with the PCI standards by Sept. 30 for Level 1 merchants and Dec. 31 for Level 2. In addition, acquirers face monthly fines of up to $10,000 if they failed to confirm by March 31 that their Level 1 and 2 merchants were not storing full-track magnetic stripe data.

As part of the new program—the PCI Compliance Acceleration Program—merchants will not qualify for lower interchange rates for card transactions if they fail to comply with the standard.

Visa also will offer $20 million in incentives to merchant acquirers if their retailers comply by Aug. 31 and have not been involved in a data compromise. The goal is to promote faster compliance, says Eduardo Perez, Visa U.S.A.’s vice president of payment risk.

Meanwhile, government may be stepping in. State Rep. Michael Costello has submitted a bill to the Massachusetts legislature that would require merchants responsible for data breaches to pay for the replacement of plastic cards tied to stolen or compromised accounts. “If retailers know they’ll be held liable, they’ll be more likely to secure customer data,” says Adam Martignetti, Costello’s chief of staff. The first legislation of its kind, the bill has been generating interest from other states and from federal legislators, he adds.

Just the beginning
While compliance with payment card security standards is a good beginning toward preventing stolen or otherwise compromised customer data, it can be most effective when backed by continued security maintenance and improvements. As Golfballs.com got audited for compliance, for example, it realized it needed to modify its web server so it would not reveal to a hacker which version of Microsoft Corp.’s Internet Information Server software it used, preventing a hacker from learning how to break into data files. “That’s something we probably wouldn’t have done otherwise,” Bonin says.

But Golfballs.com hasn’t stopped looking for security holes, in effect going beyond the basic PCI requirements, he adds.

One of the more troublesome forms of attacks, experts say, is an SQL Injection, through which criminals insert extra characters and words at the end of web page identifiers in an effort to bypass a retailer’s network access rules to grab sensitive information like customer account data from back-end databases. Making this threat even worse is that retailers often don’t know that their network is open to such attacks, experts say.

Golfballs.com discovered it was open to SQL Injections through a security check by ScanAlert Inc.’s HackerSafe site monitoring and security system, Bonin says. So when the retailer rebuilt its web site on Microsoft Corp.’s .Net 2.0 technology platform during the first months of this year, it redesigned its web access system to block SQL Injections.

Using tools within .Net 2.0, the retailer’s two-person I.T. staff configured a system to route page requests through a software module that instantly recognizes whether a page identifier has extra characters that might be used in an attempt to pull information from protected databases. “Retailers shouldn’t have to worry about data intrusions if their site is set up properly,” Bonin says.