Although faced with deadlines this fall that carry stiff fines from Visa for improper network storage of credit card data according to the PCI Data Security Standard, many merchants still see that data storage as crucial to customer service and sales, says data security expert David Glaser, vice president, worldwide professional services, CyberSource Corp., a provider of payment processing and security software and services.
Meeting the payment card industry, or PCI, security standard requires merchants to take steps to ensure that stored credit card data cannot be stolen from their networks. Most large or Level 1 retailers-who face an Oct. 1 deadline to meet the PCI standard or face monthly fines from Visa of up to $25,000-are not yet compliant with the standard but have laid out plans to become compliant, Glaser says. Level 1 retailers are those that process 6 million or more credit card transactions per year.
We’re seeing that the PCI standard is understood in the marketplace more than ever, Glaser says. But though more merchants are working on PCI compliance, the vast majority of Level 1 merchants are not compliant with PCI.
Among the reasons for missing the deadline, experts say, are the large and expensive projects involved in updating databases and legacy computer systems to ensure that credit card account information is properly protected, such as through data encryption and firewalls, or not stored at all. But retailers must also deal with the fact that, in many cases, storing customer credit card data can be crucial to serving customers and growing sales, Glaser says.
Retailers often like to support recurring purchase transactions with data stored in online accounts or e-wallets, for example, and to have payment card account data handy to be able quickly process refunds without having to ask a customer again for their account information, Glaser notes. Stored account data also can be useful when trying to reconcile records of chargebacks, or cases where a transaction is charged back to a merchant because the card holder denied making a purchase, Glaser says.
Merchants often work with qualified security assessors, or specialists certified by the PCI Security Standards Council to help merchants ensure that their computer networks and data storage policies meet PCI standards. The PCI Security Standards Council, founded by Visa and other credit card companies, is charged with establishing the security standards and educating merchants about them. But enforcement of the standards is left up to the credit card companies themselves.
One option to retailers is to store credit card data in hardened facilities outside of their own network. CyberSource, for instance provides a Secure Storage application that stores a merchant’s payment transaction and account data and a Hosted Payment Acceptance application that hosts a merchant’s payment page within its online shopping cart process.