{"id":23,"date":"2007-04-27T18:45:00","date_gmt":"2007-04-27T23:45:00","guid":{"rendered":"http:\/\/blog.paymentconsulting.net\/?p=23"},"modified":"2007-04-27T18:45:00","modified_gmt":"2007-04-27T23:45:00","slug":"fines-to-begin-for-non-compliance-of-pci-etc","status":"publish","type":"post","link":"https:\/\/www.paymentconsulting.net\/Blog\/wordpress\/?p=23","title":{"rendered":"Fines to begin for non compliance of PCI, etc."},"content":{"rendered":"

Pressure mounts for retailers to comply with payment card data security standards<\/b><\/i>
By Paul Demery<\/span> <\/p>\n

For six years, credit card companies have been threatening retailers with fines and loss of credit card status if they don\u2019t comply with the payment card industry data security standards. And retailers have been routinely ignoring them.<\/p>\n

Now that might be changing. The card companies recently upped their fines to as much as $25,000 a month for large merchants who don\u2019t comply with the standards. And high profile data breaches, such as the one that TJX Companies Inc. discovered in January, are raising consumers\u2019 awareness that their payment data might not be secure\u2014to the point that they might stop shopping at retailers where they perceive a threat.<\/p>\n

A clear message<\/strong>
Retailers are getting a clear message from merchant banks, credit card companies and consumers that they need to get on board with security standards designed to protect credit card account and other data in consumer databases. The goal is to prevent the kind of theft that occurred at TJX, where criminals broke into computer systems in 2005 and 2006 and stole customer information from a network that handles credit card, debit card, check and merchandise-returns transactions. <\/p>\n

Card companies say retailers can avoid data breaches like that by implementing the payment card industry data security standards, or PCI-DSS, as they\u2019re known in the payment industry. The standards are comprised of 12 general requirements for such actions as assuring that networks have updated security patches from software vendors, not storing sensitive customer data, and deploying software applications that encrypt the customer data that they do store in databases. <\/p>\n

It may be true that complying with payment security standards will prevent such data breaches, but doing so is not easy\u2014and online retailers face many other pressing issues. \u201cMost companies don\u2019t want to spend money on security,\u201d says Avivah Litan, a security technology expert at research and advisory firm Gartner Inc. \u201cThey\u2019d rather spend it on revenue-generating projects.\u201d <\/p>\n

A recent Gartner survey of 50 retailers found that only one-third of the largest merchants\u2014those identified by credit card companies as Tier 1, or processing more than 6 million payment card transactions per year\u2014were compliant with payment card industry standards. \u201cThat\u2019s certainly well below what it should be,\u201d Litan says.<\/p>\n

The difficulty of implementing the standards varies based on a retailer\u2019s extent of operations and whether it sells through a single channel or multiple ones. \u201c99% of this is common-sense stuff that retailers should have in place already,\u201d says Robin Bonin, IT director for Golfballs.com Inc. <\/p>\n

Golfballs.com, which sells mostly online but operates one store, complies with the payment industry standards and took extra steps to fix security holes in its data networks during a recent site re-design, Bonin says. <\/p>\n

Hundreds of security issues<\/strong>
Other retailers find compliance more difficult. Most merchants prefer not to discuss payment security issues publicly, but Mallory Duncan, senior vice president and general counsel of the National Retail Federation, a trade group which represents large retailers, says many merchants find it hard to keep up with updated software and other requirements of compliance. \u201cRetailers are getting closer in line, but it\u2019s a challenge,\u201d he says. <\/p>\n

Indeed, the 12 standards actually amount to more than 200 points that retailers may have to address, he adds. As a result, many retailers leave security standards compliance on their to-do lists. <\/p>\n

Many retailers who have not experienced data breaches apparently operate under a false sense of security that their customer records are safe, Litan and other experts say. Such retailers wait until a highly publicized attack occurs at another retailer or until a merchant bank warns the retailer that it could get fined if it doesn\u2019t get up to par with security, they say.<\/p>\n

The unintended build-up<\/strong>
Retailers typically keep customer account data including name, billing address, credit card expiration date and card identification number\u2014the 3- or 4-digit number that identifies a plastic card itself aside from the card account number. Criminals can use all of those elements to make fraudulent transactions. <\/p>\n

But instead of deleting transaction data after getting payment authorization and settlement from participating banks, some retailers hold it. \u201cSo they build up a huge repository of customer transaction data that can get hacked if not properly protected,\u201d says John Bingham, director of the technology risk practice at Protiviti Inc., a company that conducts tests of retailers\u2019 compliance with the card industry standards.<\/p>\n

The risk is heightened when retailers store full-track data, or the information contained in the magnetic stripe on payment cards, which includes enough account information to create duplicate cards. \u201cIf there\u2019s a golden rule, it\u2019s: Don\u2019t store track data,\u201d says Rob Tourt, vice president of network services for Discover Financial Services LLC, which issues and handles transaction processing for the Discover Card, one of the sponsors of the data security standards.<\/p>\n

But many retailers don\u2019t even realize they\u2019re storing track data, often because their store point-of-sale systems are improperly designed to automatically record it in a database. \u201cUnfortunately, merchants who are victims of database hacking often store track data without knowing it,\u201d Tourt says.<\/p>\n

At the same time, criminals continue to develop more sophisticated methods of cracking into and stealing that data\u2014creating demand for more sophisticated security technology and policies. <\/p>\n

Weighing the costs<\/strong>
The cost of implementing PCI standards depends on such factors as the volume of transactions a merchant handles; the state of a merchant\u2019s infrastructure of computer databases, networks and security software; and its policies. A smaller merchant might spend $120,000 to get outfitted with data encryption software and other basic security tools, while a Level 1 merchant could spend $700,000, Litan says. But that\u2019s just for security-related tools themselves, she adds. The cost of updating overall technology systems to comply with payment data security standards can run into millions of dollars, experts say, when new software systems require new and more robust hardware to run them. <\/p>\n

Still, the overall cost of complying with PCI standards can be less than the cost of a security breach in terms of damage to a retailer\u2019s brand, lost customers and a decline in sales, Litan adds. <\/p>\n

A recent Gartner study found that the cost of security breaches can outweigh the cost of becoming compliant with security standards. When factoring in legal fees, fines, data recovery efforts, and losses in sales and market value, Gartner figures the costs of a major data security breach can run as high as $90 per customer record. <\/p>\n

That equals more than five times the cost of implementing a comprehensive security system including data encryption, network intrusion-prevention, and regular system audits, which Gartner figures at $16 per customer record. <\/p>\n

The PCI Security Standards Council, an organization founded by Visa, MasterCard International, Discover Financial Services, JCB International Credit Card Co. and American Express Co., provides a list of security assessment providers at PCISecurityStandards.org. <\/p>\n

Keeping customers<\/strong>
Pressure is now coming not just from the credit card companies who are attempting to enforce the standards, but also from consumer awareness of the vulnerability of data. In a recent survey of 2,000 consumers by the Chief Marketing Officers Council, 40% of respondents said they had aborted a planned purchase either online or in a store because of concerns about the security of their personal data. In the same survey, 50% of respondents indicated they would avoid buying from a company whose customer databases had been hacked.<\/p>\n

If consumer attitudes and the fear of public shame aren\u2019t enough to sway technology plans, the credit card companies have implemented a new schedule of fines for security breaches. Visa U.S.A., for example, will fine merchant acquirers from $5,000 to $25,000 a month for each Level 1 or Level 2 (1-6 million transactions per year) merchant that is not compliant with the PCI standards by Sept. 30 for Level 1 merchants and Dec. 31 for Level 2. In addition, acquirers face monthly fines of up to $10,000 if they failed to confirm by March 31 that their Level 1 and 2 merchants were not storing full-track magnetic stripe data.<\/p>\n

As part of the new program\u2014the PCI Compliance Acceleration Program\u2014merchants will not qualify for lower interchange rates for card transactions if they fail to comply with the standard.<\/p>\n

Visa also will offer $20 million in incentives to merchant acquirers if their retailers comply by Aug. 31 and have not been involved in a data compromise. The goal is to promote faster compliance, says Eduardo Perez, Visa U.S.A.\u2019s vice president of payment risk.<\/p>\n

Meanwhile, government may be stepping in. State Rep. Michael Costello has submitted a bill to the Massachusetts legislature that would require merchants responsible for data breaches to pay for the replacement of plastic cards tied to stolen or compromised accounts. \u201cIf retailers know they\u2019ll be held liable, they\u2019ll be more likely to secure customer data,\u201d says Adam Martignetti, Costello\u2019s chief of staff. The first legislation of its kind, the bill has been generating interest from other states and from federal legislators, he adds. <\/p>\n

Just the beginning<\/strong>
While compliance with payment card security standards is a good beginning toward preventing stolen or otherwise compromised customer data, it can be most effective when backed by continued security maintenance and improvements. As Golfballs.com got audited for compliance, for example, it realized it needed to modify its web server so it would not reveal to a hacker which version of Microsoft Corp.\u2019s Internet Information Server software it used, preventing a hacker from learning how to break into data files. \u201cThat\u2019s something we probably wouldn\u2019t have done otherwise,\u201d Bonin says.<\/p>\n

But Golfballs.com hasn\u2019t stopped looking for security holes, in effect going beyond the basic PCI requirements, he adds.<\/p>\n

One of the more troublesome forms of attacks, experts say, is an SQL Injection, through which criminals insert extra characters and words at the end of web page identifiers in an effort to bypass a retailer\u2019s network access rules to grab sensitive information like customer account data from back-end databases. Making this threat even worse is that retailers often don\u2019t know that their network is open to such attacks, experts say.<\/p>\n

Golfballs.com discovered it was open to SQL Injections through a security check by ScanAlert Inc.\u2019s HackerSafe site monitoring and security system, Bonin says. So when the retailer rebuilt its web site on Microsoft Corp.\u2019s .Net 2.0 technology platform during the first months of this year, it redesigned its web access system to block SQL Injections.<\/p>\n

Using tools within .Net 2.0, the retailer\u2019s two-person I.T. staff configured a system to route page requests through a software module that instantly recognizes whether a page identifier has extra characters that might be used in an attempt to pull information from protected databases. \u201cRetailers shouldn\u2019t have to worry about data intrusions if their site is set up properly,\u201d Bonin says.<\/p>\n

<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"

Pressure mounts for retailers to comply with payment card data security standards By Paul Demery For six years, credit card companies have been threatening retailers with fines and loss of credit card status if they don\u2019t comply with the payment card industry data security standards. And retailers have been routinely ignoring them. Now that might … Continue reading Fines to begin for non compliance of PCI, etc.<\/span> →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-23","post","type-post","status-publish","format-standard","hentry","category-news-update"],"_links":{"self":[{"href":"https:\/\/www.paymentconsulting.net\/Blog\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/23","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.paymentconsulting.net\/Blog\/wordpress\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.paymentconsulting.net\/Blog\/wordpress\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.paymentconsulting.net\/Blog\/wordpress\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.paymentconsulting.net\/Blog\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=23"}],"version-history":[{"count":0,"href":"https:\/\/www.paymentconsulting.net\/Blog\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/23\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.paymentconsulting.net\/Blog\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=23"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.paymentconsulting.net\/Blog\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=23"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.paymentconsulting.net\/Blog\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=23"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}