New security standards designed to protect shoppers' credit card info

In light of customer credit card and bank information being stolen from three big retailers, Visa, MasterCard and a group of other credit card providers established new computer-security standards aimed at safeguarding personal data.

The initiative to launch the new standard followed two recent security breaches-one at Polo Ralph Lauren, where information on roughly 180,000 customers was reportedly compromised; and the second at shoe retailer Designer Shoe Warehouse, which involved the theft of information from more than 1.4 million credit cards and 96,000 check transactions.

Customers' credit card security was also the subject of this month's Gourmet NewsPoll. (see the results on page 30.)

The Payment Card Industry Data security Standard consists of 12 primary requirements, which are made up of more than 200 sub-requirements. Among the requirements are firewalls, anti-virus software and encrypted data. Deadline for compliance is June 30. Failure to comply can carry a penalty of up to $500,000. The security-related fines are levied on the merchants' banks, and banks can pass the fines onto the merchants and third-party processors, reported the Wall Street Journal.

"Complying with each of these standards on a daily basis can be difficult for the small retailer who has limited to non-existent IT staff," said Chris Noell, vice president of business development at Solutionary Inc., a managed security services firm based in Omaha, Neb. (See related sidebar on page 4.)

One of the areas of confusion around the new security standards has to do with deadlines.

All retailers who transmit, process, or store credit card data are required to be compliant with the PCI Data security Standard. However, validation requirements and deadlines depend on the retailer's card processing volume.

"You can think of the difference between compliance and validation as the difference between a standard and an audit," Noell said. "Unless a retailer's bank or payment processor indicates otherwise, there is no validation requirement for retailers doing less than 20,000 e-commerce transactions and six million total transactions a year."

However, compliance validation "is strongly recommended," said John Verdeschi, vice president of e-business and emerging technologies at MasterCard. Verdeschi would not discuss the penalties for failing to adhere to the new rules.

"MasterCard does not publicly divulge non-compliance assessments," he said.

Copyright United Publications, Inc. Jun 2005
Provided by ProQuest Information and Learning Company. All rights Reserved