The common standard designed to limit the threat of security breaches in the card industry has met with a slow response. Some say that more details need ironing out. Stephen Timewell reports.
Protecting customer data is less expensive than dealing with a security breach. But complying with the Payment Card Industry Data Security Standard (PCIDSS) and other initiatives aimed at limiting the threat to cardholder information can also be complex and costly. Banks and retailers that accept payment cards are stuck between a rock and a hard place, dealing with the growing risk of identity fraud in its many forms and adequately protecting customer information.
Credit card fraud was the most common form of identity theft in 2006, accounting for 25% of all reported occurrences in the US, according to the US Federal Trade Commission, with more than $48bn lost by financial institutions and businesses and $5bn lost by individuals. E-commerce fraud is also said to be on the rise, reaching $3bn in 2006, 7% more than the previous year.
The theft in the US earlier this year of more than 45 million credit and debit card details from TJX Inc (which owns TJ Maxx and other retailers) increased pressure for security on companies that store, process or transmit cardholder data. The security breach also forced TJX to take $20m in charges in its latest results.
Consistent measures
To reduce this growing fraud, five card industry giants – Visa International, MasterCard Worldwide, American Express, Discover Financial Services and JCB – joined forces to help facilitate the broad adoption of consistent data security measures on a global basis. In January 2005, the five published a set of security best practices – PCIDSS – to provide a global data standard rather than a range of different practices.
The PCIDSS includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. Having established a common approach, the next key issue has been compliance.
But, like many other similar global efforts, achieving the desired goals has not been easy, with diverse validation procedures among the five members and different structures in different regions.
Stanley Skoglund, senior vice-president for policy compliance at Visa, says that the original deadlines for compliance were unrealistic and that the US is 12 months ahead of the rest of the world. He adds that different interests need to be accommodated.
Low compliance
While financial regulators reportedly want to see the card industry regulate itself and the PCIDSS represents a significant step forward, the speed of compliance around the world is a major issue. US researcher Forrester claims that compliance levels remain low because the consequences for non-compliance were not made clear. Forrester notes that only 36% of Visa’s level one merchants and 15% of its level two merchants are compliant. This indicates there is still much to be done and the process is costly.
Research from Forrester shows that some companies can spend up to 10% of their IT budgets on PCI compliance but that those that already have a robust security programme should not need to spend more than 1%-2%. Getting over the initial hurdle of PCI compliance can be a major cost and a recent study by US research firm Gartner shows that level one merchants spend about $125,000 on assessment and $566,000 on achieving compliance while level two merchants spend $105,000 and $267,000 respectively. And Visa has announced that it will levy fines of between $5000-$25,000 per month for level one and two merchants who are not compliant by September 30 and December 31, 2007, respectively. For banks, PCI compliance is yet another added cost in the ever-increasing overall regulatory burden.
But that is not all. PCIDSS may cover five major card schemes but there are many more card schemes worldwide – such as China’s UnionPay and the 10 domestic debit schemes in Europe – that are not included. How will they respond to the data protection challenge?
Francesco Burelli, principal at UK consultant Capco, believes Europe’s 10 debit card networks differ significantly from each other and have less formally structured rules on topics such as data protection. He says the imminent outcome of the Single Eurozone Payment Area (Sepa) for debit cards is still very unclear.
Although the European Commission has raised the issue of data security in its recent first draft, Oversight Framework for Card Payment Schemes, this document is much more broad-based than the PCIDSS requirements and much more in the development rather than the adoption phase, says Mr Burelli.
He believes that these are both much-needed initiatives to limit the threat to cardholder information, especially in fragmented markets, nevertheless compliance standards and requirements must keep evolving to combat the evolving fraud industry and the weaknesses left unaddressed by the banks. The protection of card data has a long way to go.
