Home » Data Protection » PCI and Compliance

All About the PCI Data Security Standard

More than just another data-security standard, the PCI program is corporate America's most ambitious effort yet to prove that it can self-regulate. But even a standard with everything going for it might not be enough to stop the loss of credit card data.

The challenge for the card associations now is twofold: to prove the value of the PCI standard in and of itself, and to create an incentive system that gives organizations the final shove if the standard on its own doesn’t provide enough value. One-time compliance incentives may simply be too small. Visa’s $20 million incentive could be split up by as many as 33 merchant banks, which could then choose (or not choose) to pass on the incentives to thousands of their merchant customers. And even fines may not be enough. Visa, for instance, levied $3.4 million in fines in 2005 and $4.6 million in fines in 2006. But compliance likely would have cost fined organizations even more.

“It’s kind of like, you can drive a car without car insurance, but if something happens you’re going to be in big trouble,” says Rowe, of Chief Security Officers. “I think a lot of [merchants] are accepting the risk and hoping the controls they have in place will prevent a breach even though they may not be in compliance.”

The associations, leery of exercising their death penalty, have done so only once. After hackers accessed some 40 million card numbers stored by payment processor CardSystems Solution in 2005, both Visa and American Express cut off the company’s ability to process payments. The company went into bankruptcy, where its assets were acquired by Pay By Touch. CardSystems disappeared.

More encouragingly, Visa has announced that it will start making PCI compliance a requirement for some reductions in the interchange fees they charge to merchants who accept credit card payments. This is more a backward penalty than a new incentive: A merchant that currently qualifies for the reduced fee, known as tiered interchange, could lose that reduction because it’s not PCI-compliant. Visa’s Perez says the largest merchants could stand to lose millions of dollars annually. “It’s a very compelling incentive,” he says.

Count on chief security officers—risk managers at heart—to look at all these changes pragmatically. “If I was going to get fined $5 million but I brought in $150 million in business, that’s fine,” Kirkwood says, speaking hypothetically. “It becomes a cost of doing business.” A bigger motivator, however, is interchange fees. “That impacts the profit per transaction, which has a much bigger potential than anything else.”

Since announcing the changes, Visa has seen some increase in its compliance rates. Among what are known as Level 1 merchants, which process more than 6 million Visa transactions per year, compliance rose from 36 percent in December 2006 to 40 percent in January 2007. Among Level 2 merchants, which process between 1 million and 6 million Visa transactions each year, compliance inched up to 16 percent from 15 percent since the Level 2 requirements took effect in July 2006.