Retailers Say, ‘Show Us the Fines’ on PCI, E-Commerce Exec Says

Merchants' sluggishness in achieving compliance with the Payment Card Industry data-security standard (PCI) is a source of some frustration to vendors like LaGarde Inc., but Michael Levin, executive vice president of marketing and business development for the Olathe, Kan.-based marketer of shopping-cart software for e-commerce, doesn't see the pace picking up any time soon. “It'll be a slow steady adoption until somebody gets busted,” he says. “I don't see it ramping up.” According to figures released earlier this year by Visa USA, only 17% of 231 large merchants had complied with PCI; another 75% were in the process of meeting the standard, while 8% had submitted no compliance report at all. The original compliance deadline for online merchants, LaGarde's market, was June 2005. The security rules have been “a big yawner” for LaGarde, Levin says, as a selling point. “It's frustratingly slow,” he says. “We've been doing press releases on it for a year and got no traction.” LaGarde offers a hosted cart that includes PCI-compliant payment processing, so any major move by merchants to achieve compliance would mean more business for LaGarde and its competitors. “It'll be great for us,” he says. “I've incurred the cost already of compliance.” The problem, he says, is that there has been little public evidence of fines or other penalties from the card companies against merchants and processors found to be out of compliance. As a result, many retail executives focus on other concerns. “I don't think [small merchants] perceive the threat to them as being as great as it is,” says Levin, a former Sprint executive. “They're going to wait until somebody gets busted?a fine on a tier-three merchant.” As PCI is applied, tier-three merchants are those doing 20,000 to 150,000 online transactions a year. Levin cites as an example the massive hack last year at merchant processor CardSystems Solutions Inc., in which intruders gained access to an unencrypted data base containing some 40 million card accounts. The breach garnered headlines, but little or no news has been forthcoming regarding card-company fines in the case. Both Visa and American Express Co. notified CardSystems last summer they would shut off the processor's access to their backbone networks. CardSystems' assets were acquired last fall by Pay By Touch Inc. Fines under PCI can reach $500,000 per breach. LaGarde's difficulties in stimulating merchant interest in PCI mirrors the experience of vendors trying to make a selling point out of data security with card-present merchants. An executive with terminal maker Hypercom Corp., for example, said this spring that both merchants and independent sales organizations were having a hard time swallowing extra costs of compliant terminals, particularly when installed equipment was in working order (Digital Transactions News, April 25). PCI was established 18 months ago by Visa, MasterCard International, Discover Financial Services LLC, American Express, and other card networks to harmonize the networks' various data-security rules into a single set of specifications aimed at protecting card data from unauthorized access and use. It specifies various security measures, including data encryption, regular password changes, and anti-intrusion and anti-virus solutions.