Feeling Secure?

"Experts" help retailers withstand first wave of PCI-compliance standards

OAK BROOK, Ill. -- Unlike the hype and hullabaloo surrounding the "Y2K" changeover from 1999 to 2000, this time no one expects the lights to go out or planes to fall from the sky. When this year's calendar switches over to July 1, however, a subtle but nonetheless historic shift could very well endanger the future of retail enterprises that their owners and leaders spent lifetimes putting on the map.

The now-infamous dateJuly 1, 2010represents the day by which any merchant or service provider who stores, processes or transmits customer payment-card data must adhere to information [image-nocss] security controls and processes meant to ensure data integrity. Translated into industry terms, any retailer who wishes to continue accepting Visa debit cards at the fuel island will have to spend thousands of dollarseven millions, in cases of operators of large chainsupdating card-processing equipment and software.

The fate of those who choose to ignore the deadline, as imposed by payment-card industry (PCI) titan Visa Inc., remains unclear. A noncompliant retailer whose location suffers through a data breach, however, might not survive the aftermath, financially speaking.

"If there's fraud, then come July 2, the banks will have transferred responsibility over to the dealer or the retailer, and that's the big distinction," Don Churchey, a sales and marketing representative for Ewing Oil Co., Hagerstown, Md., told CSP Daily News. "The bank is not only going to charge you for what's fraudulent, but they're also going to put a stiff fine on you. They're going to make someone a guinea pig out there."

Such potential dangers have driven retailers large and small into the comforting arms of vendors, industry associations and other third-party resources in their quest to become "PCI compliant," a rather nebulous phrase whose definition will continue to change in light of ongoing mandates beyond the July 1 deadline. The unfixed nature of compliance standardsa "moving target," as described by one retailerhas created a new-business submarket, as well as an atmosphere of confusion.

"It's an evolving standard, and we found that even the so-called experts didn't understand it," said Steve Palmer, CFO of Car Wash Enterprises, a Seattle-based operator of more than 40 car washes, gas stations and combination sites. Car Wash Enterprises turned to a vendor named Coalfire Systems Inc., Louisville, Colo., for guidance in meeting existing standards, beginning with a gap analysis to determine areas of potential weakness. The car-wash operator "went through a couple of companies" in the process of finding the right partner, according to Palmer.

"There are a lot of pitfalls out there, so it can be difficult IDing someone who knows what the standards are and what's required," he said. "With the gap analysis, they are looking at our current configuration, the areas we need to have fixed. It's a two-step process, and we'll bring in a QSA (qualified security assessor) to certify it."

Retailers such as Car Wash Enterprises are smart to have sought help early because "the hill's only going to get steeper," according to David Cincera, vice president of business development for Innovative Control Systems Inc., Wind Gap, Pa., which provides equipment and software to car-wash operators. The company also operates one Sparkle Car Wash in Stroudsburg, Pa., to field-test and prove out new applications.

"The worst risk is that if there's a breach for whatever reason and it gets traced back to you, you not only have to pay the finessay, $25,000 to $50,000, which might be a killer in itselfbut you also have the chance of going from a level 4 [merchant] to a level 1 [merchant]," he said, referring to the levels assigned to retailers based on Visa transaction volume over a 12-month period. "It would cost you so much to comply that you are not going to survive.... If you can say 'I've done everything I can to secure it' and a breach still occurs, PCI compliance is your lifeline.

"My advice to operators is that they should seek the help of a professional organization and not try to do it themselves," he continued. "It could be a consultant organization, it could be one of the authorized scanning vendors that provide services for a fee, or it could be a payment-application [or software] vendor, which is what we are. But get help, because the greatest assurance of keeping a business running is to make sure 'I know I am in PCI compliance'."

Despite retailers' best intentions, and despite the millions of dollars being spent to ensure the enhanced protection of consumer data, further breaches will doubtless occur at the hands of persistent hackers. The severity of post-breach reprimands, industry experts suggest, will be determined largely by the precautions taken leading up to the event.

"You can't buy the insurance after the house burns down," Cincera said. "There's a big difference between doing your best and still having a failure and being sloppy and having a failure. Being sloppy and having a failure is going to get [you] punished."

[For more on data security, look for the May cover feature in CSP magazine.]