Baseline Magazine - February 2008

chants were focused on why they needed to comply. Now, the majority of merchants are more concerned about how they can become PCI-compliant and successfully expedite the process.”

The colossal TJX breach boosted PCI compliance and gave the PCI Security Standards Council newfound credibility, according to Javelin and other industry observers. Enterprises often step up standards compliance and security efforts following a major breach at a peer company. Some observers are hopeful that the worst-case scenario has forced retailers to finally pay attention to what the payment card industry has been preaching for years—they are not only vulnerable, but accountable.

“The court filings and proceedings surrounding the TJX case have illustrated the vital importance of protecting this data properly, and having a functional information security program in place,” Barrett says. “And I think that this stage—the level of fines, settlement costs, reserves, etc.,

that TJX has now held aside for this—has absolutely and vitally illustrated how important it is that companies don’t take this stuff for granted, and that we do make sure that they are properly protecting this information.”

Nevertheless, ambiguity, high costs, and fear of inhibiting productivity, as was the case with TJX, gives some organizations cause to delay or ignore security standards. As a result, the chorus of consumer complaints is causing federal and state lawmakers to consider legislating standards similar to PCI (see “Lawmakers to Industry: Self-Regulate or Be Regulated,” p. 26).

TECHNICALLY, COMPLIANCE IS TOUGH

PCI’S BIG UMBRELLA

The Payment Card Industry Data Security

Standard (PCI) applies to any organization that accepts credit and bank debit cards as payment for goods and services. In other words, the standard covers businesses ranging from mega-retailers and airlines to local dry cleaners and newsstands. PCI breaks down compliance into levels based on the number of transactions processed annually by a merchant. For instance, expectations are higher for Wal-Mart because it has more resources than Joe’s Main Street Barbershop. Below are the four PCI DSS levels.

Affected Businesses More than six million transactions annually across all channels, including e-commerce

One million to 5,999,999 transactions annually

20,000 to one million transactions annually

Fewer than 20,000 e-commerce transactions annually, and all merchants across channel up to one million transactions annually

Source: Cybertrust

PCI mandates security measures that any merchant should already have in place. Nevertheless, compliance is fleeting among larger retailers and other organizations because of the complexity of security technology and the difficulties of increasing security without impeding productivity and operations. “From the folks I’ve talked to, I would say there are just pieces that aren’t in compliance for most large merchants,” says Diana Kelley, head of the security division of technology analyst firm Burton Group. “There will be a couple of things that were flagged on the audit, and those things may be very difficult for them to fix.” In many cases, Kelley says, PCI compliance is an issue of dealing with legacy systems that are difficult to harden without breaking. According to VeriSign, a provider of security services and digital certificates, most organizations fail the third PCI requirement: full database encryption. Many older databases need to be restructured to accommodate full encryption, an arduous process that Gartner says could take up to two years to complete. “These systems are usually business critical; retailers can’t withstand that kind of performance hit,” says Phil Neray, vice president of marketing at Guardium, a database security company. The payment card industry is not unsympathetic to such technical challenges. PCI allows for a compensating control that lets an organization install database monitoring in combination with medium-level encryption until it can employ full database encryption. “The benefit is that it doesn’t require any changes to your database or your applications,” Neray says. Even if affected organizations do everything they can to comply with PCI, they still can’t control their vendors. This has become one of the major PCI compliance issues: vendors failing to provide PCI-compliant products and services, making it more difficult for organizations to receive certification. The National Aquarium’s PCI compliance was delayed until January because of its ticketing vendor, Paciolan.