• E-tailers Face Credit Card Security Deadline
  • June 16, 2005
  • Law Firm: Manatt, Phelps & Phillips, LLP - Los Angeles Office
  • Whether they know it or not -- and according to observers, many don't -- Internet merchants are facing a June 30, 2005, deadline to tighten their consumer data handling policies and network security.

    Last December, Visa, MasterCard, American Express, Discover, and their issuing banks adopted a unified set of broad data protection policies. Failure by Web retailers to comply with these measures could result in fines of up to $500,000 for each transaction or a permanent bar from the card acceptance program.

    The deadlines were announced last year, but apparently many online merchants have not yet implemented the systems needed to comply with the standards, known collectively as the Payment Card Industry (PCI) Data Security Standard, or have not gotten independent certification of their compliance, as most are required to do. Experts estimate that most U.S. merchants are only about 30 percent prepared.

    The PCI data standard replaces similar individual standards separately promoted for years by the credit card companies, in an attempt to encourage a proactive response to the problem of online credit card fraud. (Diner's Club and JCB Cards are also participating in the effort.) The standard applies across the board, so that merchants who satisfy one card issuer that their systems are secure and compliant can assume that they are compliant for all the cards. The standards revolve around 12 specific measures in six areas of security, including:

    • Build and maintain a secure network. Merchants must install and maintain a firewall configuration to protect data. They also may not use vendor-supplied passwords or other default security measures.
    • Protect cardholder data. Merchants must encrypt transmission of stored data and other sensitive information when sending it across public networks.
    • Set up a program to manage security weaknesses. This will include using and regularly updating antivirus software, and developing and maintaining secure systems and applications.
    • Establish foolproof access control. Access to consumer data must be restricted to those who need to know for business reasons, and each person accessing computer systems must have and use a unique ID. Merchants must also restrict physical access to cardholder data.
    • Test and monitor networks regularly. E-commerce sellers will have to track and monitor all access to cardholder data. They will also have to periodically test their security systems and procedures.
    • Establish and comply with a set of policies to keep information secure.

    All merchants processing their own card transactions will have to comply with these standards. But the card companies and financial institutions have set up a tiered system of requirements for validating that compliance, based on the volume of card transactions a merchant processes. This system makes certifying compliance more rigorous for Level 1 high-volume merchants, on the theory that they represent most of the fraudulent transactions. The compliance deadline has already passed for the top rank -- those clearing more than 6,000,000 transactions a year in any channel, online or offline, on a single card system, or having suffered a hack or an attack that resulted in an account data compromise. Those merchants have been compelled to submit to an annual on-site security audit and a quarterly network scan, either by their own IT officers or a qualified third party assessor.

    Level 2 and 3 are the merchants facing the June 30, 2005, deadline. Level 2 merchants are those processing 150,000 to 6,000,000 transactions per year on one of the participating cards. Level 3 are those merchants clearing 20,000 to 150,000 sales on a single card system. Those two groups will need to conduct a yearly self-assessment of their compliance and a quarterly network scan, which they can either perform themselves or have done by a qualified independent assessor. The first validation must be done by the end of this coming June.

    At the lowest tier, Level 4, are all other merchants processing credit card transactions, either physically or on the Web. These merchants must comply with the PCI standards just like their larger counterparts. But validating that compliance, with an annual self-assessment questionnaire and an annual network scan, is optional, although "strongly recommended" by the credit card companies. Since validation of compliance is voluntary at this level, these smallest merchants don't face a deadline.

    The card issuers won't disclose how many Level 1 merchants have already met and certified the required security standards. But reports indicate compliance at the top has been high, partly due to the cooperation and persuasive powers of the banks that sponsor the merchants into the card networks. At the lower levels, the security situation is more of a mixed bag. Although most merchants apparently are making some effort to comply, they may not be securing customer data to the required degree. Among the smallest merchants with limited resources to devote to security, the security status quo may be even spottier.

    Significance: It is unlikely that merchants who can't certify security will find themselves barred from processing card transactions or facing a massive fine on July 1, 2005. The card companies have all indicated a willingness to work with the merchants and their sponsoring financial groups, provided they can show a good faith effort to come into compliance with the PCI standards. Merchants who are unsure about what standards they will need to meet should contact either the card issuer or their bank. Merchants who are not certain they will meet the June 30 deadline should try to demonstrate that they have developed a compliance plan with a timeline and deliverable dates.