PCI Compliance: Merchants Cover Backs, Bottom Lines

On too regular a basis, we are subjected to more incidents of hackers getting away with our valuable data, including personal information, credit card details, Social Security numbers and banking details. Businesses should not overlook protections from the payment card industry.

Just last summer, personal information for customers of the Royal Bank of Scotland ended up on eBay when a computer that contained this sensitive data was listed for sale. And in 2007, information for more than 45 million credit and debit cards were accessed by hackers who managed to breach the customer database of TJX, the parent company of T.J. Maxx retail stores. This incident has cost TJX in excess of $250 million in compensation connected with the breach.

And these are just two high-profile examples. There are likely many other instances that never come to light. That’s why the major credit card companies — American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa — banded together in 2006 to form the PCI Security Standards Council, an open forum for the development, enhancement, storage and implementation of security standards for account data protection. With dozens of merchants, banks, payment processors and point of sale vendors on board, the group is creating the de facto standards to improve payment account security.

“Right now, every merchant needs to be PCI compliant,” says Mike Holleran, senior product manager, ASP, at InfoDirections. “That deadline passed in 2007, but by July 2010, there’s an additional requirement where every merchant that’s using third-party payment applications needs to ensure those applications are also compliant.” He adds that communications providers, including mobile and wireline operators, will also need to be compliant if they are facilitating financial transactions.

Holleran says that while most major retailers are in full compliance with PCI, even the smaller mom-and-pop shops will have to step up and ensure they are as well. “If you’re operating as an uncertified merchant, your acquirer [bank] can basically shut you down or keep your proceeds in escrow to cover the costs of any possible breach,” he said. “If you have a breach, and you’re not PCI compliant, it’s almost seen as gross negligence, and you are opening yourself up to fines and lawsuits because the standards are out there and you’re choosing to ignore them.”

He acknowledges that it’s hard to stop a determined hacker, but by complying with the PCI standards, merchants are throwing up as many roadblocks as possible and are essentially covering their backs in the event of a data breach. “If you are compliant and get breached, there’s safe harbor where you can be protected from industry fines, but you still may have to deal with civil lawsuits,” he says.

Holleran says that while there is no standard roadmap for getting PCI-compliant, there is a general series of steps that all companies should go through: Conduct a pre-assessment either on their own or with an auditor, figure out where there are gaps between the PCI requirements and their current environment, remediate those gaps and then do a final audit.

The implications of non-compliance can be devastating to a company, both financially and to loss of reputation, Holleran says. “Unless you’re a big company and can absorb hundreds of millions of dollars in litigation, you’ll be out of business after a breach,” he says. “And I can’t think of too many things that can bring you down so quickly.”

Want more? You’ll find it at the Billing & OSS World Conference & Expo.

Tues., April 14
2:00 – 2:45 p.m.
Track One: All Things Revenue: Generation, Assurance, Optimization
It Couldn’t Happen to Us: The Staggering Cost of Ignoring PCI Compliance

Share this article: Email, Slashdot, Digg, Del.icio.us, Yahoo!MyWeb, Windows Live Favorites, Furl