Merchant Breaches Cast Light on Deadlines for Card-Security Compliance

DSW Shoe Warehouse's disclosure yesterday that the theft of card data at its stores, originally revealed last month, affected some 1.4 million accounts follows by a week the news that card data stored by New York-based merchant Polo Ralph Lauren had been compromised and casts the spotlight on an industry-backed card-data security standard that is for now more focused on Internet merchants than on the brick-and-mortar point of sale. Both the Polo Ralph Lauren and DSW Shoe Warehouse cases involved breaches of store-based POS systems rather than Web-based systems. The current card-security standard, known as the payment card industry data security standard (PCI), was established in January and grew out of similar rules that had been put in place since 2001 by Visa U.S.A., MasterCard International, Discover Financial Services Inc., American Express Co., and other card companies. Among other things, it requires card-accepting merchants to certify that their data-protection procedures meet certain requirements. Many merchants are turning to outside auditors to help harden their POS defenses and certify compliance with PCI. But so far only merchants processing in excess of 6 million transactions annually have had to show compliance. The deadline for these so-called tier-one merchants was Sept. 30. The next deadline, June 30, applies to tier-two and tier-three merchants, meaning those accepting anywhere from 20,000 to 6 million transactions yearly. But the deadline applies only to online retail operations. All other retailers fall into the tier-four category, for which no deadline has yet been determined. DSW officials said the chain has learned thieves accessed 1.4 million card-account numbers, cardholder names, and transaction amounts at 108 stores in 25 states between mid-November and mid-February. Although some reports say this represents 10 times the number of accounts DSW estimated were affected when news of the breach first broke March 8, the company said yesterday it made no such estimate. It also says driver's-license and checking-account numbers were accessed from 96,000 check transactions. The 176-store chain, a unit of Columbus, Ohio-based Retail Ventures Inc., says the stolen card data did not include home addresses or PINs and the affected check data did not include names, addresses, or Social Security numbers. It says it has enough information to contact half of the affected cardholders and 88% of the affected check writers, and has begun sending them letters. DSW is a tier-four merchant, experts say, though it is not clear whether Polo Ralph Lauren's online business is substantial enough to place it in tiers two or three. MasterCard and Visa said last week they have notified an undisclosed number of banks about the Polo Ralph Lauren case. So far issuer HSBC Holdings PLC has said it has warned 180,000 of its cardholders who shopped at Polo Ralph Lauren about the theft, which reportedly included data dating from June 2002 to last December. “The PCI standard is a great step in terms of moving the ball down the field, but you still have substantial risk without [a deadline] for brick-and-mortar merchants,” says Mike Petitti, a partner at Ambiron LLC, a Chicago-based firm that conducts PCI audits. Petitti says the card companies' intent in drawing up PCI's proof-of-compliance deadlines was to go after the “obvious” risks first, hence the early deadline for the largest retailers, regardless of the channel they sell in, and the June deadline for online merchants. He also points out that requiring audits from the millions of tier-four merchants?a category that can include the corner dry cleaner as well as regional chains?is logistically difficult. At the same time, he and other experts stress that tier-four merchants aren't off the hook on PCI. The standard applies to them, but no deadline currently exists to show compliance. He expects the card networks to address tier four after June 30, though he says it's unclear whether this will result in an audit deadline or further segmentation of the tier into more manageable categories. In the meantime, PCI is having an effect on acquirers and merchants, regardless of specific deadlines or other requirements. “Acquirers, as principal underwriters of the merchants, are responsible for any fees or fines and don't want to be on the hook for the liability,” says Petitti. As a result, he says more acquirers are making PCI compliance part of the operating agreements they execute with merchants. Each of the card networks maintains its own schedule of fines. Visa, for example, says the penalty can range up to $500,000. But the networks may not have much time to act. Petitti says pressure is mounting on the card industry as a result of recent news of data compromises, which also includes well-publicized cases of unauthorized access to data at ChoicePoint and Lexis-Nexis. Though these cases did not involve breaches of POS systems, Petitti says the public and their representatives aren't likely to make the distinction. “These aren't apples-to-apples issues, but to the consumer it appears to be the same thing,” he says. “The consumer's perspective has to be taken into account. If consumers stop spending, that's an issue.” In a statement, Polo Ralph Lauren says it has eliminated stored card data and fixed its POS problem. Without making further comment, it says its system is secure.