he Payment Card Industry (PCI) Data Security Standard (DSS). has been around since 2004. Yet compliance has come in stages. The card Associations put teeth into their terms for card acceptance: threatening penalties for failure to get with the PCI program. Now they're starting to show those teeth.

During the past six months, the card brands have stepped up enforcement for failure to comply, particularly against merchants at levels 1 and 2.

"The card brands can levy fines for noncompliance with their data security programs," stated Michael L. Herman, Chief Compliance Officer at Chase Paymentech Solutions LLC, in an e-mail response to questions from The Green Sheet. For example, MasterCard Worldwide recently fined level 2 merchants who did not meet the compliance validation deadlines, he added. MasterCard did not respond to a request for confirmation.

The industry has first focused on level 1 merchants. These include merchants exceeding 6 million transactions with one card brand annually, regardless of acceptance channel, Herman stated.

Validate, or pay

Visa U.S.A. has publicly indicated its intent to begin levying fines for "noncooperative" level 1 merchants, Herman stated. Visa has also required Chase Paymentech to obtain attestations from certain merchants regarding whether they are storing full track data.

The industry's focus is now transitioning to level 4 merchants with higher risk characteristics, he added.

Visa projected that 65% of level 1 merchants would be compliant with the Cardholder Information Security Program (CISP) by the end of the year, with the remainder at various stages of completion, according to Hector Rodriguez, Director, Payment System Risk & Compliance, for Visa.

Only since July has Visa required validation of its nearly 1,000 level 2 merchants, who process 1 million to 6 million Visa transactions per year. And this population has been given until Sept. 30, 2007, to accomplish it, Martin Elliott, Vice President for Emerging Risk at Visa, stated in an e-mail response to questions.

"Penalties may be levied to an acquirer if its merchants fail to comply with the PCI Data Security Standard, particularly in the event of a compromise or in cases where a merchant retains full track data," Elliott stated.

It is very early in the new level 2 requirements process, "but Visa expects that there is significant work to be done by this population," he reported.

"Level 3 merchants have made significant progress, but there are many level 3 merchants still in the process of achieving and validating full compliance. Visa is working closely with acquirers of level 2 and 3 merchants to support compliance efforts and to ensure that this population is progressing in a timely manner."

Cautionary tale

The rationale for enforcement is readily apparent. Compromising or even losing bankcard data belonging to merchant customers threatens the bottom line and jeopardizes the reputations of merchants and card brands.

Chipotle Mexican Grill's experience serves as a cautionary tale: Prior to August 2004, the possible theft of patrons' card data led to up to 2,000 incidents of fraudulent charges totaling $1.4 million, for which the restaurant became liable. While the company has not been able to definitively show that data thefts occurred, it did find itself holding the bag. Subsequently, the company determined its software had been retaining track data, and some Internet gateways lacked security measures.

After the possible thefts came to light, the chain of 530 restaurants set aside $4 million to cover reimbursement of fraudulent charges, the cost of replacing cards, monitoring expenses, and fines imposed by Visa and MasterCard.

In its 2005 annual report, the company disclosed fines from Visa and MasterCard totaling a combined $1.3 million, which had been levied against the restaurant's acquiring bank. Adding in legal fees, the chain's total expenses related to its liability stand at $5.5 million, the company reported Nov. 1. Chipotle Mexican Grill did not respond to a request for more information. It reported revenue of $628 million in 2005.

'Egregious violations'

Now, storage of full-track magnetic stripe data "is considered an egregious violation, which is susceptible to fines ranging up to $100,000 per month until compliance is achieved," Herman said.

The Federal Trade Commission can also levy penalties that can go well beyond fines from the card Associations, said David Mertz, Director, Compliance Services, for GreenSoft Solutions Inc.

While Chipotle's fines stemmed from an actual compromise, acquirers face potential fines of $10,000 to $100,000 monthly for their merchants' failure to become compliant, according to Visa.

Fines are based on the severity of the compliance violation, the size of the merchant and the number of accounts at risk, according to Elliott. Within the range mentioned, fines may increase over time if the security issues are not addressed.

Compliance has its upside: Acquirers for all levels of merchants who are in full compliance with PCI at the time of a security breach would not be subject to Visa fines, Elliott reported.

"To this date, no entity that is PCI-compliant has been compromised," Rodriguez said at the Western States Acquirers' Association meeting Oct. 19. A processor that had validated compliance later had a "huge compromise," but forensics ultimately determined it had not actually been in compliance, he added.

Some compliance assessors have become more vigilant since the incident because that processor's assessor is no longer on Visa's list of approved assessors, Rodriguez said. Suddenly, several validated merchants had difficulty revalidating the following year, he added.

As of Oct. 31, 2006, 86% of VisaNet processors (entities directly connected to VisaNet) were compliant, 1% had submitted their final report on compliance (ROC) for review, and 13% had validation certification in progress, according to the card Association.

ISOs that do not store, process or transmit cardholder data are not required to validate PCI compliance; agents registered with Visa that do perform any of these activities, however, must do so. Registered agents of Visa were well on their way toward compliance by Oct. 31: 58% were compliant, 32% had validation in progress; and 10% were pending validation, Visa reported.

Mertz said, "One of the things I've noticed is that [the card Associations] are getting more strict in their interpretation of PCI, and they are not settling for compensating controls as easily as they have in the past."

Service vendors such as GreenSoft have been among the first to experience the card Associations' stepped-up enforcement. Visa's new severity was brought home to GreenSoft recently, when the company was temporarily dropped from Visa's list of PCI-compliant Web hosting service providers. GreenSoft resolved the issue and was restored to the list within two weeks, but with a surprise. Visa had cleaned house, and GreenSoft was then the only PCI-compliant Web host on the list, Mertz said in late October.

Every Internet merchant must now register the name of its Web hosting provider with Visa if it wants to accept card payments online, Mertz said.

Educating your level 4's

For merchant level salespeople, PCI poses a challenge: educating their smaller merchants and themselves in the PCI lexicon and the spirit of regulation, because of the liabilities posed by a failure to stay on top of the rules and compliance.

Smaller merchants are starting to ask better questions of their POS providers, ISOs and processors, according to Michael Petitti, Senior Vice President of AmbironTrustWave. They are asking for education on PCI rules and where they can get assistance in reaching compliance.

For level 4 merchants, who may be subject to security audits, self-assessment questionnaires and security scanning, the procedures are aligned so that merchants do not have to go through multiple assessments for each card brand to demonstrate their compliance, Elliott stated.

Each card brand does maintain its own enforcement programs, so compliance should be reported to each.

"Entities who validate compliance against the PCI DSS according to the CISP requirements can leverage this work to demonstrate their compliance to the other payment card brands," Elliott stated. A single validation report to a merchant's acquirer will satisfy both Visa and MasterCard requirements.

While compliance validation requirements for level 4 merchants are left up to their acquirers, a key provision of that lower level of scrutiny allows the card brands to reclassify such merchants to level 1 if they suffer a breach of cardholder data, according to Petitti. This could make them rethink procrastinating on compliance.

Beware reclassification

To demonstrate the potential expense to a level 4 merchant of a breach, Petitti offered a general estimate of the compliance expenses a level 1 merchant can face.

With such a reclassification come rigorous compliance requirements. "When you move from level 4 to level 1, there's a difference," Petitti said. "It comes down to the greater scrutiny of having to adhere to the same validation requirements" as the largest retailers, he added.

Reclassified small merchants would be subject to on-site inspections. "There is clearly an increased cost [when they go] from having a remote scan to having one on-site," he said.

Additionally, the card brands can ask level 1's at any time for compliance credentials such as scan reports, questionnaires and the ROC. "Level 4's don't have that burden of proof. They simply attest they are in compliance," Petitti said.

An on-site inspection for a small, reclassified merchant would still be extensive, but its costs would be directly related to the size of its environment.

"There's still a cost to having someone [on-site] from a couple days to a couple weeks," Petitti said, adding that a consultant's travel expenses are just as expensive for the small merchant.

Vulnerability scanning, questionnaire and validation compliance services at level 4 can start as low as a few hundred dollars a year, Petitti said. "For an on-site visit, you are moving into several thousands of dollars, and all the way up."

Level 4 comprises a diverse group of merchants, something Visa noted when it readjusted level categorization in July, Petitti said. Level 4 merchants have widely varying capabilities.

"There are very large name brands in that category, but they skate by, by being large-transaction brick-and-mortar merchants ... all the way down to the dry cleaner with a dial-up terminal," he said. A big-ticket level 4 merchant poses a different level of risk than the traditional mom-and-pop shop.

The variation in risk factors poses a challenge to acquirers: how to intelligently handle the risk disparity. Perhaps the increased risk applies to only a few thousand of their millions of level 4 merchants, Petitti said.

"It's incumbent on the acquirer to determine which ones have the most risk. ... How can I get the dry cleaner to attest that he's not storing data, so I can move on" to evaluating the riskier level 4 merchants? he said.

Acquirers will likely ask merchants to fill out risk-assessment questionnaires. This will help acquirers determine which merchants they need to worry about most. "That way, the acquirer can have some record of what that compliance may be," Petitti said.

Chase Paymentech launched a program in August to bring its level 4 merchants into compliance, using AmbironTrustWave's Risk Profiler. "We needed to proactively reach these merchants, which present some of the highest risk but are not currently required to provide us with periodic validation of compliance with the ... PCI DSS," Herman stated.

The initial effort will reach only a small portion of Chase Paymentech's level 4 merchants, he said.

Assessors overwhelmed

One of the difficulties in bringing these millions of merchants into compliance is the limited number of companies capable of performing compliance assessments. Compliance assessors "are overwhelmed," said David H. Press, President of Integrity Bankcard Consultants Inc.

When resources are spread thin, the card Associations and compliance specialists focus on the upper-level merchants. At these locations, the damage can be far-reaching in the event of a breach.

Some merchants put off compliance because of the costs they encounter, Press said. "They're seeing a cost associated directly to their bottom line and are choosing to forestall that as long as possible."

That lack of commitment translates into data breaches. In studying over 150 merchant data compromises in early 2006, AmbironTrustWave found that those who are the least regulated by card Association rules are, perhaps, the most lax.

"We saw that many [compromises] took place at level 4," Petitti said. Four out of five breaches took place in card-present situations. The majority - 62% to 65% - occurred at restaurants. The next largest category was retail, also ubiquitous, but which accounted for only 12% of the breaches.

And finally, many involved PC-based POS systems. In recent months, Visa has issued alerts regarding both restaurant and Internet protocol (IP)-based POS systems.

"If you control your environment, ... it is pretty clear what you have to do to protect the information," by instituting firewalls and other measures, Petitti said. "Once you start to leverage an IP POS system, that also has to meet some basic criteria. We've found typically that merchants weren't aware of that."

Make sure both you and your merchants are aware of PCI rules, definitions and deadlines. For more information, visit www.pcisecuritystandards.org