Credit Card Insecurity

Posted at February 20, 2007

The PCI Security Standards Council, the consortium including Visa, Mastercard, Discover, JCB, and American Express, mandated that Tier 1, 2, and 3 merchants (those that handle more than 6 million transactions per year, those with 150K to 6 million transactions a year, and those with 20K to 150K transactions a year, respectively) should be in compliance with PCI data security standards by June last year. A newer version of the standards became effective Jan. 1 this year.

We’re hearing from clients that credit card companies have begun to send out auditors and assess fines. The auditors have so far handed out relatively small fines for clients who have not met Payment Card Industry standards, but that could change. A major breach at TJX (T.J. Maxx, Marshalls, and HomeGoods stores) sometime between May and December 2006, and maybe earlier, has already affected dozens of banks (and their customers) in Massachusetts. Evidently the TJX security breach involved storing customer credit card information on store POS systems, which is against PCI rules. As a Tier 1 merchant, TJX can expect serious repercussions from the credit card companies. Besides fines, indefinite suspension of the right to process credit card transactions is one of the sanctions possible.

In spite of the threat of fines, Gartner Inc. analysts estimate that only 50% of Tier 1 companies are actually compliant with the PCI requirements. Although a list of compliant credit card service providers is available, a list of compliant merchants is not.

A related issue for direct-to-customer merchants is how their software vendors support them in cases where a vendor might change elements of its package related to POS, for instance.

The whole subject of PCI compliance and related issues is liable to be even more important in the next few months: Beginning June 30, 2007, even Tier 4 merchants—those with less than 20,000 credit card transactions a year—will also be subject to PCI compliance standards or face fines. The potential threat of fines for noncompliance is huge. We’re interested in hearing from readers about their experience with PCI standards. How are you doing? Are you being penalized?

Post to Twitter Tweet This Post to Delicious Delicious Post to Digg Digg Post to Facebook Facebook Post to StumbleUpon StumbleUpon

Related posts

State of the Industry, Strategic, Financial and Operational Planning

If you enjoyed this post, please consider to leave a comment or subscribe to the feed and get future articles delivered to your feed reader.

Leave Comment

(required)

(required)