Standards set by card schemes aimed at ensuring security of
cardholder data place a heavy burden on merchants who run the risk
of hefty fines for non-compliance. Jon Prideaux of
SecureTrading provides insight into implications of even more
onerous requirements now facing the retail industry.

 

Against a background of rampant fraud which has resulted in theft
of payment card details of millions of consumers, there is no doubt
enhancing the security of cardholder details is of paramount
importance to the payments industry.

Galvanised into action the major card schemes (MasterCard, Visa,
American Express, Discover and JCB) formed the Payment Card
Industry Security Standards Council which in December 2004 released
the Payment Card Industry Data Security Standard (PCI DSS) imposing
strict data protection requirements on payments processors and
merchants. Enforcement is in the hands of individual card
schemes.

Enforcement pressure on retailers is growing with Visa taking the
lead with its announcement in November 2008 of deadlines by which
merchants must be able to validate PCI DSS compliance.

For Tier 1 merchants – defined by Visa as those with over 6 million
Visa transactions annually – the deadline is 30 September 2010. The
deadline for Tier 2 merchants (1 million to 6 million transactions)
is 30 September 2012; for Tier 3 merchants (20,000 to 1 million
transactions), 31 December 2012; and for Tier 4 merchants (under
20,000 transactions), 31 December 2013.

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData
Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

By these deadlines Visa requires acquirers to provide an
attestation of compliance for each of their merchants. After the
deadlines Visa warned it would impose “appropriate risk controls”
including fines on acquirers which can be passed on to individual
merchants. Fines can exceed €100,000 ($140,000).

Meeting opposition

There is no doubt the PCI DSS should set the standard for banks,
payment processors and merchants to ensure data is protected, Jon
Prideaux, deputy CEO of UK-based online payments processor
SecureTrading, told EPI.

However, he posed the question: “So, why is it UK industry body the
British Retail Consortium [BRC] has voiced concerns over the PCI
DSS programme and actively sought dialogue with payment card
issuers Visa, MasterCard and American Express?”

Prideaux continued that, in the US, there is also dissatisfaction.
For example, Michael Jones, chief information officer at retailer
Michaels, testified to a Congressional Committee that PCI DSS rules
were “expensive to implement, confusing to comply with and
ultimately subjective both in their interpretation and their
enforcement”. Michaels, the world’s largest arts and crafts
retailer, operates 1,000 stores in the US and Canada.

Given concerns expressed by merchants and their industry bodies,
Prideaux said it is important to question whether card schemes have
got the balance of compliance between the role players correct or
are being heavy handed with merchants.

Prideaux added: “Many big breaches have come from payments
infrastructure providers, yet the suspicion among the retail
community is too much fire is directed against them.”

However, he conceded that card payment processors have come in for
punishment at the hands of the card schemes. This is particularly
true of Royal Bank of Scotland’s RBS Worldpay unit and US payments
processor Heartland Payments Systems which were both temporarily
removed from Visa’s list PCI DSS-compliant processors earlier this
year following serious data breaches.

Prideaux said: “Though its [RBS Worldpay’s] removal from the list
showed Visa would act, the concern persists that action could have
been taken earlier.”

This, he added, indicates the need for greater transparency so all
affected can see the PCI DSS compliance process is applied
consistently.

Great for business

Speaking candidly, Prideaux outlined benefits a company such as
SecureTrading is deriving from implementation and enforcement of
PCI DSS standards.

“Here at SecureTrading I suppose I shouldn’t be making a fuss,”
said Prideaux. “PCI is a bit of a goldmine. We are picking up
business by helping retailers to simplify their compliance
process.”

He explained that SecureTrading has developed a range of what he
termed customisable ‘PCI-free’ payment pages to help retailers
overcome the PCI DSS challenge. In essence, with this solution
credit card numbers are captured on payment pages hosted by
SecureTrading, either under its own domain name or on a dedicated
client server. This eliminates merchant involvement in the capture,
storing or transmission of credit card data.

“Many big retail brands have already recognised the benefits of
this solution and chosen to go down this route, so they do not need
go through their own compliance process” said Prideaux.

The result, he added, is that online merchants of all sizes can
achieve PCI DSS compliance with flexible solutions that integrate
with their existing technology infrastructure without the need for
costly IT development investment. SecureTrading is certified as PCI
DSS Level 1 compliant.

But what is good business for SecureTrading may not necessarily be
good for the retail industry, conceded Prideaux, who questioned why
retailers, under threat of fines, have to foot the entire cost of
implementing PCI DSS compliancy measures.

“Payment schemes or issuers should perhaps be subsidising some of
this work. They are the ones who will ultimately benefit,” stressed
Prideaux.

Plenty of work to be done

Controversial as PCI DSS compliance may be it is a reality many UK
online retailers have yet to fully come to terms with, reveals a
study by online security specialist Sage Pay.

“Online retailers have become adept at driving traffic to their
websites but there is still a significant knowledge gap when it
comes to understanding and implementing payment security,” said
Sage Pay MD Simon Black.

If anything this is something of an understatement.

“Although [PCI DSS] compliance has existed since December 2004, our
latest research suggests that just over one third [39 percent] of
online retailers actually understand the definition of PCI DSS
compliance,” said Black.

He added that 65 percent of respondents did not believe they were
personally responsible for covering the implications of payments
fraud committed on their site.