PCI Compliance: Who wins?

A few weeks back, the NRF told a congressional panel "that security standards imposed on merchants by the credit card industry are only 'an elaborate patch,' and that a system in which retailers would not be required to store card numbers would do a better job of protecting consumers against credit card fraud."

Great idea, right? The only problem: for now, credit card security is in the hands of the retailer. And with new PCI deadlines looming and cyber crime becoming tougher to fight, the question begs to be asked, when all is said and done, who wins?

The retailer?
In 2008, Gartner reported that merchant spending to protect cardholder data and become PCI compliant increased nearly fivefold during the previous 18 months. Among the Level 1 retailers Gartner surveyed, an average of $2.7 million was spent to become PCI compliant, excluding the costs of PCI assessment services. Level 2 merchants reported spending $1.1 million on PCI compliance (compared to $267,000 in fall 2006) and an average of $135,000 on assessment.

And, the PCI July 2010 pinpad upgrade deadline will only increase the financial burden. The C-store/petroleum industry is estimating the pinpad upgrade will cost as much as $1 billion plus another billion to meet unmanned payment terminal standards and and yet another billion for EMV. Matter of fact, Bob Sleeper, director of IT for Rutter's Farm Store said at NACS/CSNews CIO Roundtable "If things don't change, we think most companies will spend their 2009 and 2010 technology budgets on PCI-related mandates."

The consumer?
We have all heard the rumors – breaches are happening to companies who claim to be PCI compliant. Bob Russo, general manager of the PCI Security Standards Council, states in a Washington Post article however, "the council has never found a breached entity that was later found to have been in full compliance with the PCI standards at the time of the breach"

Yet, a recent report released by Verizon found that "in 3/4 of the confirmed breaches it investigated last year the victims were not complaint with PCI DSS or had never been audited. Another 19% were found to be PCI compliant during their last assessment.

The credit cards companies? Maybe...
Or maybe its not about winning or losing at all, but about how we play the game. While we all may agree with the NRF, for the time being, credit card security is in your hands. What you chose to do with it is what counts.

Circle K recently announced (as many other retailers have or will be as well) that it "taking steps to further secure card payments and customer information, especially at the fuel pump." The company is adding Gilbarco Veeder-Root FlexPay Encrypting PIN Pads and Encore S fuel dispensers to help the chain become compliant with Triple Data Encryption Standard treatment of PIN numbers entered by consumers during debit-card transactions at the pumps.

While PCI is the driving force on this endeavor, we all win if we work together to make the goal security. In a previous blog I posted: We need to stop asking “How to we get PCI compliant?” and start asking, “How do we get secure?”

Jeff Wakefield of VeriFone, summed it up best. “You goal should not be to get PCI Compliant. Your goal should be to secure your payment processes and hopefully you get complaint in the process.”

Please share with us way in which you have turned getting PCI complaint into a positive for you and your customers.