Retailers that have been slow off the mark to become compliant with the Payment Card Industry Data Security Standard are now feeling the pressure.

It appears likely that the European payment card schemes will follow the lead of their US counterparts and begin more high-profile fining of acquiring banks. Having gently encouraged retailers to work towards compliance for the past couple of years, their patience is starting to wear thin.

Speaking to Retail Week on a visit to the Retail Business Show in London yesterday, the PCI Security Standards Council general manager Bob Russo confirmed that fines are being issued. When questioned on whether acquiring banks are passing these fines on to their merchants, he added: “It generally rolls down the hill.”

So retailers that have chosen to do little or nothing could soon find that their decision has been costly. In the US, Visa USA has been open about the fact that it is charging acquiring banks US$25,000 (£12,689) a month for each tier one merchant that has not verified it is compliant with the standard.

Fines for non-compliance by US tier two merchants – those processing between 1 million and 6 million Visa transactions a year – are US$5000 (£2,538) a month.

Russo admitted: “Fines of any substance could put a small merchant out of business.” However, he also still towed the payment card brand line that the potential damage to your brand from a security breach should be the biggest motivator to working towards compliance.

In future, the standard is only going to get tougher, as the PCI Security Standards Council adds to it in order to keep up with ever-ingenious fraudsters. Russo described it as an “arms race”.

For instance, in June the standard will be updated with additional details covering application-level security. This has been recommended as best practice for the past year, because the council wanted to give retailers the chance to make changes and maintain their compliance.

Russo also warned that updates that the council does not feel will affect the way retailers do business will be bought in without this time delay.

So the gap between how non-compliant retailers operate and the way they need to operate is getting wider. Some have been happy to sit and watch what their peers are doing to reach compliance in the past year, picking up tips while remaining outwardly defiant.
Although retailers never like being told what to do – and especially not by banks – the time has now come for the stubborn to admit that the waiting game is up.