NASHVILLE, Tenn. -- Facing fines of up to $50,000 and annual audits of up to $200,000, attendees at the NACStech conference in Nashville, Tenn., focused discussion on compliance to payment card industry (PCI) standards that credit-card giant Visa has recently threatened to enforce.
Nowhere was the buzz surrounding the development more clear than an educational session on PCI standards held Tuesday morning at the annual technology conference. After asking panelists a question, retailer Brian Carrier, director of information technology for NOCO Energy [image-nocss] Corp., told CSP Daily News that in order to comply, his company would have to hire a data security firm to run costly tests.
Every year they would try to scan' or break into my network, said the IT director of the 31-store chain based in Tonawanda, N.Y. But the thing is, I've asked for estimates that started [in the hundreds of] dollars and grew to $22,000 a year.
Carrier said his company still got off easy because his merchant bank classified NOCO as a Tier 2 company, which allows the firm to forego annual audits that Carrier said may cost in the range of $100,000 to $200,000.
The trick is not to be named a Tier 1 company, he said.
But even for Tier 2 companies, noncompliance can mean big fines. Via a letter from his merchant bank, Carrier discovered his company could face a $5,000 fine if the chain did not carry out the scanning process by Sept. 30, 2007. If NOCO did not complete the necessary tasks or implement the proper processes within four to six months after that, the fine would leap up to $25,000 and in the time period after that, $50,000.
One Oklahoma retailer with more than 100 locations told CSP Daily News that he has had a staff member on the task of PCI compliance for more then a year. The retailer, who asked not to be identified, said his company was of Tier 1 status.
Reviewing the issues surrounding PCI, panelist Derek Reed of Chicago-based Ambiron TrustWave stressed the importance of documenting a company's security processes. You'll go down the checklist of [200-plus] points and say, Yes, yes, we do that, yes,' but can you prove it? he said. The buzz word for PCI will be logged data.' Ambiron TrustWave is a provider of information security and compliance management solutions.
What Reed called weak payment applications can threaten data security, meaning that the software developed to transact credit-card data via on-site point-of-sale devices may allow for non-compliant processes. Smaller companies may not have firewalls in place, creating a serious potential for hacking. And remote locationspotential access points to a chain's networkcan present opportunities for data breach.
Proper compliance means instilling a process inclusive of the identification of all assets or data-entry points in a company's electronic network, an assessment and alert system, a way to enforce and remedy any situation that arises, and finally, a way to verify and validate problem resolution, said George Sconyers, of Ellisville, Mo.-based American Technology Corp., which develops compliance, security and management solutions for retail systems.
From what panelists said, PCI is a standards entity that developed criteria over credit-card data security. The credit-card associations via member banks have the task of enforcement. So far, Visa has taken the lead in that task.
The key message beyond the requests [that credit-card companies are requiring] is to look at securing your [data] assets, said Ed Collupy, vice president of information services for The Pantry, Sanford, N.C., and moderator for the session. He said his company is preparing for an audit that would take place in the next couple of months.
Members help make our journalism possible. Become a CSP member today and unlock exclusive benefits, including unlimited access to all of our content. Sign up here.