A full year after the deadline, a majority of large merchants face potential fines because they still aren't in compliance with a data security standard created by major credit card companies including American Express, Discover, MasterCard and Visa.

The Payment Card Industry (PCI) standard lays out requirements for securing networks, protecting cardholder data and auditing security systems regularly. The PCI rules, which went into effect June 30, 2005, prescribe enforcement policies and penalties for noncompliance, depending on the volume of credit card transactions handled.

According to the standard, noncompliant merchants and payment processors can face as much as $500,000 in fines per incident if cardholder data is compromised. In addition, the card associations can revoke noncomplying companies' credit card processing privileges.

Despite the threat of penalties, only 22% of the largest merchants are PCI compliant today. Visa expects that number to climb dramatically in the second half of this year, says Eduardo Perez, vice president of corporate risk and compliance at Visa USA.

In addition to the 22% of merchants that are compliant, 72% of the largest merchants - those that handle more than 6 million Visa transactions per year - have conducted an initial PCI report, identified their deficiencies and have a remediation plan in place to achieve full compliance. By year-end, Visa estimates two-thirds of the top-tier retailers will be in full compliance. "We've made a lot of progress - and we have a lot of work ahead of us," Perez says.

A lack of communication is partly to blame for the delays in PCI adoption, says Avivah Litan, a vice president at Gartner. Some merchants still aren't aware of the PCI standard, and many that know about it are unclear about its significance. "Every merchant wants to know how seriously they need to take this," she says.

To bolster compliance, credit card organizations have been making an effort to educate businesses about PCI. For example, Visa and the U.S. Chamber of Commerce last month launched a 12-city tour designed to help small merchants use the standard to improve data security and reduce fraud.

Encryption challenges

The PCI standard encompasses a range of technologies, including encryption, access control, and activity monitoring and logging devices. There also are procedural requirements, such as creating and documenting security policies. Continuing compliance requires annual or quarterly audits by a PCI-certified assessor.