Critics argue that the Payment Card Industry Data Security Standard is impossible for some retailers to comply with and doesn’t guarantee against data loss. Joanna Perry finds out why compliance remains such a contentious issue

A quick straw poll of retailers breaks them down into two clear camps when it comes to Payment Card Industry Data Security Standard (PCIDSS). There are those that are angry and confused about what is being asked of them, and those that have been living with it hanging over them for so long that they are fed up of talking about it.

Retail Week has covered the subject extensively, but it is still unclear whether many retailers have achieved compliance despite ploughing considerable sums into gap analysis, expert advice and systems upgrades.

A state of flux exists, with the standard changing on a yearly basis and its direction increasingly dividing opinion between retailers in the UK and US.

Both the British Retail Consortium and US counterpart the National Retail Federation (NRF) are lobbying over what they see as unfairness in the present compliance regime.

The BRC is focused on minimising fines. It says full compliance is difficult for reasons outside of retailers’ control. The NRF wants a longer grace period for larger merchants to adjust to new versions of the standard. But it is also pushing for the Payment Card Industry Security Standards Council to partner with a US-based financial service standard body – the Accredited Standards Committee X9 – which could mean end-to-end encryption of payment card data made mandatory.

A US congressional panel – the subcommittee on emerging threats, cybersecurity, and science and technology – is looking at PCIDSS and its impact on cybercrime. In March the panel’s chairwoman said the standard is of questionable strength and effectiveness, and she suggested the US adopts Chip and PIN.

Mark McMurtrie, marketing director  of payment software supplier Postilion International, says he does not know of a single retailer who will argue against PCIDSS compliance. But at the same time, there is plenty to confuse retailers over what they should be doing.

BT Expedite consultant Kevin Burns says the different card schemes are not singing from the same hymn sheet. He says MasterCard now requires qualified security assessors (QSAs) to complete an on-site assessment for Level 2 retailers as part of the compliance process, rather than just an audit. Yet this does not seem to be a requirement of Visa Europe.

He adds a lack of transparency over fines that merchant acquirers may levy on non-compliant retailers continues to be an issue. “If I, as a retailer, get a e5,000 fine this month, will I get another one next month too? And could the fines rise to e25,000? That’s the highest I have seen,” he says.

Burns says transparency is necessary because retailers need something more tangible than the threat of damage to a brand’s reputation to make a business case for costly compliance projects.Retailers complain that none of the
versions of the self-assessment questionnaire fit their business model properly and the BRC reports different QSAs are interpreting the standard in varying ways.

While all of this goes on, UK retailers are left trying to comply with the standard as best they can.

Jewellery retailer Beaverbrooks is an example of one UK retailer working towards compliance. Head of management information systems Patrick Walker says that the IT department is working to make the branch and head office systems compliant, and will have rolled out a PCIDSS-compliant EPoS system before the end of the year.

The retailer is working with network provider Vodat International to provide a PCIDSS-compliant solution for card processing and its e-commerce platform provider Venda has also achieved PCIDSS compliance.

Beaverbrooks qualifies as a Level 3 retailer, as these categories are determined by the volume of transactions (Level 1 represents the highest volume), rather than their value. Walker says it is Level 2 retailers that are feeling the pressure to achieve compliance at the moment, so he wants to be ready for when attention turns to merchants of his size.

With Beaverbrooks using the Vodat network and its new EPoS system, transaction data will no longer be stored locally on the till system. Walker says that he wants to minimise the time the card information sits on the system, even though it will be encrypted. He adds that his merchant acquirer Streamline has informed Beaverbrooks of what it wants the retailer to do, and when, so he has no complaints. However, he says that the card schemes are changing the goalposts for the banks, which adds to confusion over what is required.

The retailer will spend “hundreds of thousands of pounds” on systems changes for PCIDSS accreditation, but Walker says that a lot of what is being invested in, such as the EPoS system, provides other benefits to the business.

While he is not aware of financial penalties for merchants at his level that are not yet compliant, he says that meeting the standard could be used as a bargaining chip when Beaverbrooks next renegotiates its payment processing charges. “Once we are fully accredited we would ask for a better rate,” he says.

Postilion has had the payment software it supplies to retailers validated to the Payment Application Data Security Standard (PA-DSS). McMurtrie says UK retailers have been slower than their US peers in insisting that suppliers achieve this compliance, “perhaps because of a lack of information, but more likely to do with the state of their PCIDSS implementation”.

McMurtrie warns that just because breaches in the UK are not reported in the same way as in the US, that does not mean they are not happening. “There is a legal requirement to report security breaches in the US – but there is an increased incidence of breaches around the world and the UK is no exception,” he says.

Retailers in this country face a two-pronged challenge. They must secure their systems, but they must also act together – whether it is through the BRC or as participating members of the PCI Security Standards Council, to ensure that the rules they are being asked to abide by reflect the actual risks they face today.

➤ For our Need to know on PCIDSS visit retail-week.com/pcidss

A transatlantic retailer’s approach to PCIDSS

Outdoor sporting goods retailer Orvis trades in the US and UK and has achieved compliance as a Level 2 merchant. US-based Orvis senior security analyst Todd Ponto oversees the PCIDSS compliance of the retailer’s UK website and 24 stores.

Orvis has chosen to go above and beyond the basic requirements of PCIDSS and some of the systems introduced also make it easier to maintain compliance. For instance, Ponto explains Orvis invested in the QRadar system from Q1 Labs to monitor whether credit card information is being transmitted anywhere on its corporate network. The retailer has also invested in software that monitors all files and makes sure no rogue applications that can collect and transmit data are installed anywhere on its network.

This proactive monitoring has reduced the manual checking processes that Orvis must complete to ensure the security of its systems is not compromised. The security systems also alert Ponto to other systems changes that may be made over the year that could mean the retailer is no longer compliant.

Ponto says that it would not be possible to keep an eye on all the systems changes that take place manually. As an additional measure, Orvis has a change management ticketing system in place, which other staff in the business must use to request changes so Ponto can check if they are likely to affect payment card data.

He adds that the introduction of version 1.2 of the standard has definitely increased the requirements compared with earlier versions and he expects this to happen again when the next version is launched.

Ponto adds that he would be concerned about making all the changes necessary in the time frame required when the standard is upgraded if he was a Level 1 merchant, but three months is enough time for his business and retailers can ask for waivers if they are working towards achieving compliance with the updated rules.

PCIDSS version 1.2 lifecycle

Market implementation October 1, 2008 to June 30, 2009

Feedback July 1, 2009 to October 31, 2009

Feedback review and decision November 1, 2009 to April 30, 2010

New version/revision and final review May 1, 2010 to August 31, 2010

Discuss new version/revision September 30, 2010