- Is the Cisco MARS mission going to abort?
- First iPhone worm spreads Rick Astley wallpaper
- 10 stunning 3D buildings made with Google SketchUp
- Open source software ready for big business
- Four reasons to buy (and one reason to avoid) the Droid
A full year after the deadline, a majority of large merchants face potential fines because they still aren't in compliance with a data security standard created by major credit card companies including American Express, Discover, MasterCard and Visa.
The Payment Card Industry (PCI) standard lays out requirements for securing networks, protecting cardholder data and auditing security systems regularly. The PCI rules, which went into effect June 30, 2005, prescribe enforcement policies and penalties for noncompliance, depending on the volume of credit card transactions handled.
According to the standard, noncompliant merchants and payment processors can face as much as $500,000 in fines per incident if cardholder data is compromised. In addition, the card associations can revoke noncomplying companies' credit card processing privileges.
Despite the threat of penalties, only 22% of the largest merchants are PCI compliant today. Visa expects that number to climb dramatically in the second half of this year, says Eduardo Perez, vice president of corporate risk and compliance at Visa USA.
In addition to the 22% of merchants that are compliant, 72% of the largest merchants - those that handle more than 6 million Visa transactions per year - have conducted an initial PCI report, identified their deficiencies and have a remediation plan in place to achieve full compliance. By year-end, Visa estimates two-thirds of the top-tier retailers will be in full compliance. "We've made a lot of progress - and we have a lot of work ahead of us," Perez says.
A lack of communication is partly to blame for the delays in PCI adoption, says Avivah Litan, a vice president at Gartner. Some merchants still aren't aware of the PCI standard, and many that know about it are unclear about its significance. "Every merchant wants to know how seriously they need to take this," she says.
To bolster compliance, credit card organizations have been making an effort to educate businesses about PCI. For example, Visa and the U.S. Chamber of Commerce last month launched a 12-city tour designed to help small merchants use the standard to improve data security and reduce fraud.
The PCI standard encompasses a range of technologies, including encryption, access control, and activity monitoring and logging devices. There also are procedural requirements, such as creating and documenting security policies. Continuing compliance requires annual or quarterly audits by a PCI-certified assessor.
By most accounts, database encryption is the most difficult technical component to implement. "The encryption requirements have always been the main stumbling block - and for good reason" Litan says. "Just about every client I talk to that has started an encryption project can't get very far with it, even though they want to. It's a multiyear application rewrite proposition."
Encrypting card data also is expensive. Gartner estimates a company with 100,000 customer accounts can spend $6 per account to roll out data encryption appliances. Adding host-based intrusion-prevention software and a strong rotation of security audits can bring the tally to $16 per customer account.
Rss FeedRss Feed
The Leader in Network Knowledge
Comment