Credit Card Insecurity


The PCI Security Standards Council, the consortium including Visa, Mastercard, Discover, JCB, and American Express, mandated that Tier 1, 2, and 3 merchants (those that handle more than 6 million transactions per year, those with 150K to 6 million transactions a year, and those with 20K to 150K transactions a year, respectively) should be in compliance with PCI data security standards by June last year. A newer version of the standards became effective Jan. 1 this year.

We’re hearing from clients that credit card companies have begun to send out auditors and assess fines. The auditors have so far handed out relatively small fines for clients who have not met Payment Card Industry standards, but that could change. A major breach at TJX (T.J. Maxx, Marshalls, and HomeGoods stores) sometime between May and December 2006, and maybe earlier, has already affected dozens of banks (and their customers) in Massachusetts. Evidently the TJX security breach involved storing customer credit card information on store POS systems, which is against PCI rules. As a Tier 1 merchant, TJX can expect serious repercussions from the credit card companies. Besides fines, indefinite suspension of the right to process credit card transactions is one of the sanctions possible.

In spite of the threat of fines, Gartner Inc. analysts estimate that only 50% of Tier 1 companies are actually compliant with the PCI requirements. Although a list of compliant credit card service providers is available, a list of compliant merchants is not.

A related issue for direct-to-customer merchants is how their software vendors support them in cases where a vendor might change elements of its package related to POS, for instance.

The whole subject of PCI compliance and related issues is liable to be even more important in the next few months: Beginning June 30, 2007, even Tier 4 merchants—those with less than 20,000 credit card transactions a year—will also be subject to PCI compliance standards or face fines. The potential threat of fines for noncompliance is huge. We’re interested in hearing from readers about their experience with PCI standards. How are you doing? Are you being penalized?

Information and Links

Join the fray by commenting, tracking what others have to say about multichannel operations.

Like our blog? You'll love our newsletter.
Signup for our monthly email newsletter for the latest multichannel industry trends, topics & tips. eNewsletter Signup »
Information
February 20th, 2007
One Response
Feeds and Links
Subscribe
From This Author
Del.icio.us
Digg
Technorati
Categories
State of the Industry
Strategic, Financial and Operational Planning

Other Posts
Postal rate increase will grievously damage the Catalog Industry
Taking Your Company’s Operational Pulse

Write a Comment

Take a moment to comment and tell us what you think. Some basic HTML is allowed for formatting. All comments will be reviewed and, if accepted, posted within one business day.

Reader Comments

Comment Number:
1
Written by:
bill mccarthy
Posted on:
March 21, 2007 at 8:26 pm

We have been hoodwinked. There is absolutely no rational basis for this level of increase. There should be a law against this. Is there no recourse? Nothing else to be donw? Appeal? Lawsuit? New Legislation?

Bill Mac