PCI: Legislation Looms

Last month, we published an insert that served as an educational tool for retailers on why they should (and how they could) attain PCI (payment card industry) DSS (data security standard) compliance. The piece resonated with many and raised the ire of some. Among the latter, the resounding theme was that the entire initiative is a means for "the likes of Visa to profit." Nonsense, I say, and it's that misunderstanding that will give naysayers something far more bothersome to complain about. To them I warn: Keep complaining; governmental intervention is on its way.

High-profile cases of identity theft and credit fraud have placed retail at a critical point, one that has tested the individual responsibility of our brands and our collective ability to act in the best interests of both the industry and the consumer. The right approach is to prove the effectiveness of industry self-regulation by throwing your enterprise behind the PCI DSS (at this point, a purely voluntary standard) and devoting resources to becoming compliant. But according to Visa, there is much work to be done to that end. The credit card giant says only approximately 40% of level-one merchants (those conducting 6 million Visa transactions per year) and about 16% of level-two merchants (those conducting 1 to 6 million Visa transactions per year) are verified compliant to date. If these stats don't quickly improve, Congress will likely act, especially if another TJX-style breach finds itself plastered all over the mainstream press. Various pieces of legislation have already been proposed, calling for more stringent regulations to secure the collection and transmission of consumer payment information. The NRF (National Retail Federation), in its steadfast effort to protect and defend the retailer, takes the stance that congressional intervention is unnecessary. But it also calls the current standard "convoluted." Meanwhile, Congress sees a divided industry with many differing opinions on the matter. It sees constituents (consumers) at risk in high-profile security breaches. And it sees lackluster progress in the effort to protect consumer data. You do the math.

Noncompliance: More Burdensome Than Getting Compliant
The PCI DSS lays out the steps to compliance in clear English. But executing it requires time, money, human resources, and coordination among vendors. The latter of those four might seem the most daunting, but the risk associated with the alternative is scarier still. Yes, the payment card industry (i.e. "the likes of Visa") can impose fines on its participating merchant acquirers for noncompliance, especially in the event of a breach. But there's no evidence that any of the big five credit card companies are stuffing their coffers with revenue generated by fines. Furthermore, Visa threatens to disassociate itself from merchants that suffer a breach due to noncompliance. While losing the ability to accept a major card is most devastating to the merchant, it also would prove detrimental to the card company. Trust me, Visa doesn't want to impose penalties on merchants any more than it wants to jeopardize its own business.

I'll close with three calls to action. Become compliant, get audited, and then stay compliant. Staying out of hot water with the PCI means avoiding hotter water when (or if, depending on your persuasion) Congress gets involved.