Monday, November 26, 2007

New Credit Card rules for the Merchants set by PCI Standards

Christmas is coming start of holiday season! But no jingle bells or caroling choirs can be heard these days but the ka-ching of the cash register or say the hiss of swiped credit cards.

This year those happy holidays sounds have been dampened a bit for merchants because of ongoing security fears and a grinch as PCI SSC, or the Payment Card Industry Security Standards Council call it.

A November report by Pleasanton Calif.-based research firm Javelin Strategy & Research reveals that sixty- three percent of consumers believe merchants are the “weak link" when it comes to data security.

Retailers find themselves exposed to credit card fraud at numerous points along the payment chain: data thieves -- sometimes store employees -- cull data as shoppers swipe cards at the register, intercept it as it is being sent out for processing, or steal it straight out of storage files that may not be properly protected.

The PCI SSC is a quasi-independent group founded by the world's credit card networks -- American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa International. The aim to form this group was to improve data security standards throughout the payments industry.

According to the group the merchants need to beef up security to avoid credit card fraud, but the Merchants say the council's demands are too high, and might not solve the problem anyway. A few small payments companies, including one in Delaware, have come forward to provide potential solutions they say will protect both merchants and customers.

PCI standards directive how everyone along the payment chain -- including merchants, processors and gateways, banks, card issuers, and credit card networks themselves -- should store, transmit and process sensitive credit card data.

PCI Standards the world’s credit card networks have directed the merchants that to keep their customers swiping, they should comply with PCI Standards.

The card networks have marked a deadline and have said they'll slap fees on any merchant that doesn't get into shape by deadline. Merchants that process more than 6 million credit card transactions per year were supposed to comply by Sept. 30 or face monthly fines of $5,000 to $25,000. The second tier of merchants, those that process between 1 million and 6 million transactions annually, are supposed to be compliant by Dec. 31.

The goal is to keep credit card data safe and avoid another TJX nightmare. TJX Cos., which owns off-price retailers like Marshalls and T.J. Maxx, had stated publicly earlier this year, it had lost 45.7 million credit card numbers (court documents now say the number could be closer to 100 million) and has since set aside more than $256 million for damage control.

Javelin said that complying with PCI's security standards is costly for merchants. Depending on the size of the company and the payment system it uses, the price tag for technology upgrades, audits and maintenance could range from several thousand dollars to seven figures.

Reports by Bruce Cundiff co-author says "Merchants are feeling overburdened by this." "They're really the ones who are feeling the pressure from Visa and MasterCard."

Merchants are agreeing with the group that something should be done, but beefing up security at the retail level is not the best answer, they say.

"All of us -- merchants, banks, credit card companies and our customers -- want to eliminate credit card fraud," the National Retail Federation's Chief Information Officer David Hogan wrote to the PCI SSC in October. "But if the goal is to make credit card data less vulnerable, the ultimate solution is to stop requiring merchants to store card data in the first place ... it makes more sense for credit card companies to protect their credit card data from thieves by keeping it in relatively few secure locations than to expect millions of merchants scattered across the nation to lock up their data for them."

A recent study by Forrester Consulting on behalf of security company RSA has found that eighty-one percent of merchants store credit card numbers and 73 percent store credit card expiration data.

A Delaware company thinks it has found a solution: skip over the merchant entirely, never allowing retail stores to collect the card data, much less store it.

According to Jason J. Gwynn, vice president of sales at a Wilmington-based payment processing company, Electronic Payment Exchange (EPX), "At the end of the day, if you don't have the cardholder numbers, you're in no danger of exposing them if you're compromised."

The Delaware company, have about 20 people as its employs at its headquarters on Naamans Road and about 20 more in a Phoenix-based payment processing facility, revealed that its system transmits data from the card directly to the payment processor, leaving the merchant with a unique 19-digit code that can be used later to trace the transaction in case of returns, charge-backs, or customer disputes. But this code is useless for data thieves because it cannot be traced to the card.

Similar type of product is being offered by Shift4 Corp., a Las Vegas-based payment gateway that gives merchants a digital "token" for each transaction.

"We take the data completely out and then give the merchant something else," says Randy Carr, the company's vice president of marketing. "Technology in the security space is the equivalent of building higher walls around the data. ... Hackers just bring taller ladders ... the only way to really win this fight is to take the data out of the end points."

No comments: