Rules for merchants handling credit card data

Rules changing for merchants handling credit card data

Safety concerns for consumers' credit card information prompt changes

Ever wonder what happens to a consumer's credit card data after a merchant swipes that plastic in a store or enters it online?

Today's answer: It depends. An ongoing industrywide effort is slowly standardizing data-handling processes to keep consumers' personal information as safe as possible, but it's a largely invisible struggle. Consumers who get their cards back often don't realize the data they've left behind; merchants know about it but don't like the cost and often don't understand the technology.

There are as many ways of handling data as there are merchants to take it. Some retailers work with state-of-the-art systems from merchant account providers (which the retailers may or may not know how to configure). Others merchants have self-written programs. Some retailers store card numbers. Others don't. Some have teams to help them test and troubleshoot. A few may be simply crossing their fingers.

What's at stake for merchants? Money and hassle. At stake for consumers? Money and their identities.

Standardizing card data handling
Several years ago, five major card companies -- American Express, Discover, MasterCard, Visa and Japanese card giant JCB -- banded together in an attempt to bring some uniformity to the process. They  formed a security council, issued one set of guidelines for merchant data security, and the Payment Card Industry Data Security Standard, with its balky acronym of PCI DSS, was born.

"Definitely PCI has helped and is helping," says Mary Monahan, managing partner with Javelin Strategy & Research, an independent research firm that recently studied both data card fraud trends and merchant compliance to card data security standards.

A complex, little known system
Despite the high stakes, with identity theft and merchants' reputations in play, data handling by merchants gets little attention.

It's understandable. Merchants, who are ultimately responsible for following the rules, often stay at arm's length from the technology involved. Larger retailers have teams of computer and security experts who puzzle through the regulations and make sure the machinery is compliant. A smaller merchant might rely on a payment processing company to handle the job or simply write a check to an outside consultant. And when their systems fail and consumers' card information land the hands of thieves, consumers usually learn little about under the hodgepodge of state disclosure laws.

Merchants are "spending a lot of effort, a lot of time and a lot of money to become PCI compliant," says David Hogan, senior vice president and chief information officer for the National Retail Federation.

That said, many merchants welcome the movement toward standardized handling of consumer credit card data. "Personally, I like the idea of all this," says David Haydel Sr., president of Haydel's Bakery in New Orleans. He estimates that two-thirds of his $3 million annual sales are credit-card based.

Like fellow merchants, Haydel had to put out some money. His biggest expense: $10,000 for a specially written, compliant software program. But he looks at that, and the security standard, as a good investment.

Though fraud eats up less than 0.1 percent of that, he's in favor of anything that will slice that rate and satisfy customers. "It's going to cut back on fraud and misuse, and that's going to cut back on charge-backs," he says.

Who handles consumer data safely? 
How many retailers are PCI compliant? No one really knows. As of January 2008, Visa estimates that more than 75 percent of its large merchants and two-thirds of medium-sized merchants meet the standards.  Which raises another question: Should compliance, or the lack of it, be public record?

Some consumer advocates say yes. "I think consumers deserve to know who's compliant and who's not," says Gail Hillebrand, senior attorney with Consumers Union, a nonprofit education and advocacy group.

Some payment processors and the PCI council itself don't want to see an official seal of approval awarded for compliance, fearing it would tip off thieves to merchants whose computers could be easily hacked. Many also believe a seal could be misleading. Businesses can be certified compliant one day, but adding machines, firing employees or acquiring locations or new software could compromise their status.

"Compliance is always a backward look," says Eric Ratermann, senior security engineer for Cadre Information Security. "Just because you're compliant today doesn't mean you're compliant tomorrow."

Compliance hindered by 'convoluted' rules
For many businesses, the problem with compliance isn't greed or indifference, it is confusion. Since the regulations deal with technology, they are fairly intricate. Card companies and payment processors are trying to help, however, supplying tutorials and Webinars (Web-based seminars) to help business owners.

Still, for many retailers and some security experts, it's not enough. The current rules are "vague, convoluted, and difficult to interpret," says Hogan. "You can get two or three different answers depending on where you go."

Following the guidelines isn't just a matter of installing hardware or software. Employees also have to be trained. A merchant can do everything according to the books, but if one part-timer leaves card data in an unsecured place, the organization is not only vulnerable but out of compliance.

TJX breach opened eyes
Monahan says one major event -- the data breach at TJX Companies Inc., announced in January 2007 -- increased security awareness. "There weren't as many compliant companies at that time," she says. "People weren't really talking about compliance. That brought it home."

Merchants are also realizing that the standard is not the summit when it comes to security. Since hackers are always improving their game, even full compliance with the rules might not be enough to protect card data.

"It's old -- from a standards point of view -- the day after it's been launched," says Tony Bates, chief operating officer and partner in PSC, a consulting firm that specializes in payment security and compliance. "And it's a minimum, not a maximum."

With semiregular updates to the standard, compliance is "a moving target," says Monahan. "As everything becomes more sophisticated, it's constantly changing."

Standards evolving
In October 2008, the card industry's security council will release its newest version of the security standard, dubbed 1.2. Representatives won't yet talk specifics. "The technical working groups are still meeting," says Bob Russo, general manager, PCI Security Standards Council. "It hasn't really been decided.

"There will be greater detail, and how it needs to be done -- how we're expecting it to be done," he says. In addition, three areas will specifically be addressed: wireless transmissions, payment applications and hacker testing. Requirements for compliant payment application systems went into effect last month, and stronger regulations governing Web-based transactions go into effect as of June 2008. They had been optional "best practices" for the previous 18 months.

Some security experts and consumer advocates would like to see the standard address additional measures to safeguard wireless transmissions, methods to prevent passive network attacks, guidance on dealing with malware and rules requiring data encryption within internal, nonpublic networks.

Hogan would like the council to consider requiring a PIN number with credit card transactions, as well as adopting chip technology and getting rid of the magnetic stripe, "which is a generation old," he says.

Merchants and security experts alike would welcome plainer language. "I'd like to see it written more clearly," says Ratermann.

Finally, with card-not-present fraud going up, expect retailers themselves to be "strengthening authentication on the back end," says Rachel Kim, an analyst at Javelin Strategy & Research.

The cost of compliance
Data security breach costs can run into the hundreds of millions. Merchants may weigh the chances of getting breached against the cost of getting into compliance and decide to gamble, says Mike Rothman, president of Security Incite, a security analysis firm. "A lot of companies will roll the dice," he says.

Hillebrand says random audits can help prevent that. "Until they do it, the whole thing could be smoke and mirrors," she says.

With his own small online business, Rothman uses a third-party shopping cart, which has already been certified compliant, saving him the trouble and expense.

That might be the answer for a lot of smaller e-retailers, says Bates.

"The challenge with retailers and merchants today is that a lot of their payment applications aren't" compliant, he says. "They have to upgrade." The tab can be anywhere from several thousand on up into the millions for a large retailer.

No guarantees
One point on which most data and security experts agree: Nothing is foolproof. "PCI compliance can only go so far," says Monahan. "Nothing can stop 100 percent of breaches."

But the standard has the potential to make the landscape much safer for consumers and merchants. "The problems we're having now are not lower level problems," says Ratermann. "They're great gaping holes."

It's also forcing merchants to learn about their systems, re-examine the way they are doing things and eliminate data storage altogether. Many merchants "don't recognize that they are storing data or could be storing data," he says. "It's truly a data management exercise," says Amry Junaideen, principal with Deloitte & Touche LLP.

Data card theft isn't always a high-tech crime. So along with meeting data security requirements, smart merchants are also fighting new crimes by combining a host of old reliables: background checks, paper-shredding procedures, security cameras and diligence about keeping tabs on register totals.

In the end, when it comes to protecting card data, the PCI standard is "pretty darned good," says Monahan. But "I think it's constantly going to be re-evaluating itself."

Updated: March 4,2023