Home News Features & Contents Research Editorial
UK/European Site Product News Enewsletter Webinars Audio/Podcasts Events Recommended Links Contact
Subscriptions Magazine Registration Related Publications Forthcoming Features Advertising Information
In Partnership with:

The Compliance Gamble

Tony Bradley, CISSP-ISSAP

State of compliance

Visa recently released a report on the state of PCI compliance. In general, the statistics seem to suggest forward progress, albeit slower than one might hope for. There is one big cloud over the report though. Some retailers continue to store sensitive credit card account data that they should not, putting the data in potential jeopardy and creating the conditions for a repeat of the TJX breach.

The good news is that 96% of the large Level 1 and Level 2 merchants claim to be compliant. The bad news is twofold. Firstly, the 96% statistic is based on the number of Level 1 and Level 2 merchants that have written to Visa stating that they are compliant. There is no audit or independent verification of that claim, therefore this statistic may not be accurate. Secondly, even if 96% is correct, that leaves 4% who openly state that they are still retaining magnetic stripe data from credit card transactions.

Visa states that there are 327 Level 1 and 730 Level 2 retailers. If 4% are non-compliant, then 13 Level 1 and 29 Level 2 merchants are still out of PCI compliance when it comes to retaining this data. They are either hoping to be protected by sheer luck, or they are betting that their network security is better than TJX. Either is a game of chance that the retailers are playing with their customers’ personal and financial information.

Penalty for non-compliance

Failing to comply with the PCI Data Security Standard does have consequences. The credit card industry has outlined fines and penalties up to, and including, the right to terminate the merchant status of a company that does not comply. For a major retailer, losing the ability to accept and process credit card transactions could mean the death of the company.

Of course, you have to get caught first. Our society has outlined stiff penalties and jail time for those who rob banks and get caught. Those who rob banks and remain free just end up with a lot of money. As long as these merchants are not identified, and not penalized, there are no consequences to non-compliance.

In the event that their data becomes compromised, like TJX, they will face consequences. The merchant bank processing the credit card transactions may be fined by the credit card industry. Issuing banks may seek compensation for the damage control they are forced to initiate when their customers’ credit card information is compromised. The cost of communicating to customers, terminating compromised account numbers, and re-issuing credit cards can be extensive. Businesses and individuals may file law suits against the retailer for the pain and suffering caused to them by the retailer’s negligence. The list goes on.

Costs to get compliant

Compliance is expensive though. Legacy hardware and software may need to be replaced or upgraded to change the way data is processed or stored. Software that was created in-house may require significant re-development. Independent software vendors (ISVs) may have newer, compliant versions of their applications that are designed to only run on more current hardware or operating system platforms.

Some retailers, particularly the very large Level 1 and Level 2 merchants, have multiple data centres and hundreds, or even thousands, of retail locations that would need to be updated in order to be compliant. The cost to develop or purchase a PCI-compliant software system, upgrade or refresh the hardware necessary to run the software system, and deploy the PCI-compliant solution across thousands of locations could be astronomical.

Doing the right thing

Somewhere in the back rooms of these corporations, I imagine teams of accountants running “what-if” scenarios to determine the potential cost of non-compliance and compare it against the cost of modernizing the point-of-sale (POS) and other payment systems. If non-compliance costs less than compliance, why bother? Besides, getting compliant has fixed costs that are certain to occur. Non-compliance has no cost whatsoever until you get caught.

So, what is a retailer to do? Hopefully, the right thing. There should not be a comparison of doing the right thing versus doing the wrong thing. Criminals think in terms of consequences or the lack of them if they are not caught. Corporations have an obligation to their customers and their shareholders to conduct business the right way.

The investment in compliance can be leveraged as a positive thing anyway. A retailer would not want to announce their plans or intentions to upgrade beforehand, because they would draw attention to their current non-compliance and make themselves a target for attack. However, once the systems are upgraded and the company is compliant, those facts can be marketing tools. The retailer can promote their investment in compliance and their efforts to put the customer first and do the right thing. It can be an opportunity to build a solid reputation, rather than risking the damage to their reputation that comes with losing the gamble on compliance and becoming the next TJX.

Tony Bradley is the author of PCI Compliance: Implementing Effective PCI Data Security Standards, published by Syngress.

Read a sample chapter (PDF, opens in a new window)

Read the table of contents (PDF, opens in a new window)

This book is available from Amazon and other booksellers.

<< Comment index




Infosecurity US © Copyright 2008, Elsevier Ltd, All rights reserved. Your use of this service is governed by Terms and Conditions. Please review our Privacy Policy for details on how we protect information that you supply.

 Terms & Conditions | Privacy Policy