Retailers Rushing to Meet New Standard for Data Security

For retail industry CIOs, this month is almost like December 1999 all over again. That’s because a major Payment Card Industry (PCI) data security standard deadline looms on September 30.

“This is like Y2K for this industry,” said Scott Laliberte, a director in the global information security practice at Protiviti, a leading risk management consulting firm. “Some retail companies are still in a mad scramble to meet the Sept. 30 deadline. They’re still working out that last 5% of their big multi-year projects in order to be fully PCI compliant.”

The PCI data security standards include 230 specific data controls that must be met by merchants and data service providers that store data for banks. Complicating matters, the deadlines for compliance vary according to the size of the retailer and the credit card firm.

For example, VISA requires that all Level 1 merchants—those that handle 6 million or more card transactions annually of a particular card type—comply with the PCI standards by September 30; merchants that do fewer transactions must do so by the end of the year. By contrast, for American Express, a Level 1 merchant need process just 1 million transactions per year. Both in-store transactions and online payments are affected by the new security requirements.

Retailers and data service providers that fail to prove they are compliant with the new standards by the deadline will face monetary penalties from the credit card issuers. For example, after September 30, any large retailers that have failed to prove they are fully compliant with the new security standards will be downgraded one tier on VISA’s interchange rate.

The renewed emphasis on credit card data security, of course, has come about because of some major data security lapses. One of the biggest was an incident reported last January at TJX, a leading off-price retailer of apparel and home fashions. Some 45.7 million credit and debit card account numbers, plus 455,000 merchandise return records containing customer name and driver’s license numbers, were subject to an “unauthorized intrusion” into the company’s computer systems.

According to a recent report by the Aberdeen Group, the average cost of a security breach is $4.8 million per company, and the cost to remediate the problem averages $183 per cardholder.

“The goal of the PCI standards is to protect the primary account number on the card, as well as the sensitive authentication data on the card, the three- or four-digit code on the back,” said Dave Anderson, senior solutions manager at Arcsight, an enterprise security and compliance management software firm.

But it’s not just the cost that the big retailers are worried about-it’s their reputation and brand names.