Digital Transactions Authoritative, insightful and timely information for payments professionals
Large merchants whose card transactions are chiefly derived from physical stores, rather than the Internet, will now face stricter requirements for proving compliance with the Payment Card Industry data-security standard, according to an expert observer. With Visa USA this week introducing a revision of the volume bands by which it groups merchants for PCI compliance, the card association's data-security rules now encompass all or most large brick-and-mortar retailers, forcing them to meet more stringent PCI validation requirements, including at the least self-assessments to certify compliance, says Michael Dahn, president of Volubis Inc., a San Francisco company that has contracted with Visa to help train PCI assessors and educate merchants on the standard. The change took effect July 18. Until this week, Visa grouped merchants into four so-called levels, depending on the volume of transactions they accept and in some cases on the volume of e-commerce transactions they process. All merchants that accept more than 6 million Visa transactions annually across all channels, for example, were?and still are–classified in Level 1 and must validate PCI compliance by means of a third-party audit. Levels 2 and 3, also defined by specific volume bands, required validation by means of a self-audit, at minimum. But these tiers referred only to e-commerce transactions, leaving large physical stores doing under 6 million brick-and-mortar transactions a year in Level 4, for which compliance validation may or may not be required, according to Visa. But now, amid industry concerns about the security of card data at physical retail locations, the card association has rewritten the definitions of its PCI tiers. Level 1 remains the same, with a volume range of 6 million and up. Level 2, which formerly covered annual e-commerce volumes of 150,000 to 6 million transactions, now embraces not just online volume but transactions from all channels, with a range of 1 million up to 6 million. Level 3, meanwhile, remains an e-commerce tier but with a volume range of 20,000 to 1 million. All other merchants fall into Level 4. A new validation deadline, Sept. 30, 2007, applies to new Level 2 merchants. At a stroke, the move pushes chains that derive large volumes of transactions from physical stores from Level 4 to Level 2, subjecting them to stricter validation requirements for audits and security scans. Formerly considered Level 4 retailers, these merchants were “not required to validate compliance,” says Dahn, which means they may not have heard from their acquirers about PCI and may not be aware of practices that are putting data at risk. The new definitions come in the wake of several serious breaches involving brick-and-mortar retailers, including incidents last year at BJ's Warehouse Club, DSW Shoe Warehouse, and Polo Ralph Lauren. Indeed, statistics from AmbironTrustWave, a Chicago-based PCI auditor, indicate that 85% of the more than 100 card-compromise cases it has investigated involved brick-and-mortar merchants, with only 15% coming from card-not-present retailers. But Visa is also responding to the increasing numbers of merchants that are moving their POS systems to Internet Protocol connections, says Dahn. This trend, he says, has begun to draw the interest of hackers, who see an opportunity to pick up magnetic-stripe data some of these merchants may be storing. Packages of so-called Track 1 and Track 2 data, which are contained on the mag stripe and include such information as card numbers, names, expiration dates, and PIN-verification values, sell for $25 to $30 apiece, compared with $3 to $7 for card numbers alone, according to Dahn. Some 47% of the cases investigated by AmbironTrustWave involved DSL or cable connections, and 22% involved T1 lines. The remaining 31% involved dial-up connectivity. At the same time, the new tier definitions will more closely match the approach of third-party PCI auditors that have been certified by Visa to check for compliance. In many cases, Dahn says, auditors have looked at card transactions regardless of channel. The new tier definitions also arrive as card networks are making other changes to tighten data security. Visa is preparing to make a set of security recommendations for point-of-sale software, known as the Payment Application Best Practices rules, a requirement for merchants and software developers (Digital Transactions News, July 12). And recently both Visa and MasterCard announced they would revise PCI to protect against hacker attacks on Web applications.
