Can mid-market merchants comply with PCI standards?

Nearly a year after TJX Companies suffered what is believed to be the largest identity theft to have hit a retailer, credit card companies are laying down the law for any merchant who transacts business with plastic. By New Year's Eve, all businesses that handle between 1 million and 6 million credit card transactions a year (primarily mid-market companies) must comply with the Payment Card Industry's new Data Security Standard (PCI DSS).

Companies that fail to comply with the standard's 12-point specification risk thousands of dollars in fines (from Visa, $5,000 to $25,000 a month), though it's hard to predict what noncompliance will really cost because the penalty structure is complex. Ultimately, Visa, MasterCard and the other payment card companies could revoke merchants' rights to make credit card transactions-a mortal wound for any consumer-oriented business. And yet despite the threat of penalties, experts believe that most mid-size companies won't make the deadline (larger companies with a higher transaction volume are already supposed to be compliant).

Compliance is hardly rocket science-or is it? Directives to use firewalls and change vendor-supplied default passwords are simply security best practices. But in other areas, merchants struggle to interpret the standards, haggling with auditors, consultants and sometimes the PCI Council itself over exactly how to protect cardholder data. And they often have to reach deep into cash-strapped pockets to come up with the funds for conducting a top-to-bottom security review.

Brian Shniderman, a director at Deloitte Consulting, estimates that 40% to 45% of merchants might need to overhaul everything from access management, ID control and physical security, to infrastructure, firewalls and antivirus measures.

"The industry is not sitting in a stable position with regard to PCI standards," he says.

Lessons from TJX

Version 1.1 of the PCI Data Security Standard (PCI DSS 1.1) was on the books in January 2007, when TJX Companies-operator of A.J. Wright, Bob's Stores, HomeGoods, Marshalls and T.J. Maxx-announced that hackers had breached its network. Estimates of the damage vary, but data thieves may have copped anywhere from 45 million to more than 100 million user accounts, from customer transactions going back to 2003.

According to The Wall Street Journal, the thieves may have begun their odyssey in a van parked near a St. Paul, Minn., Marshalls store, at which they pointed an antenna and picked up wireless data beamed across the store from registers and handheld scanners. The intercepted data allowed thieves to hack the main network in Framingham, Mass. and allowed them to download megabytes of stored customer records. At least three class-action lawsuits seeking damages on behalf of customers and banks are pending in federal court. (TJX is awaiting court approval of a proposed settlement with customers worth an estimated $256 million. On Nov. 30, 2007, the company announced a $40.9 million settlement with Visa through which it would pay banks for their claimed losses, provided banks agree not to pursue further legal action.)