Retailers Facing Critical IT Security Deadline

Hoping to at least slow down the wave of electronic fraud threatening retailers, a group of major credit card firms—led by Visa—has set June 30 as the deadline for all merchants to submit recognized security audits.

The deadline is also for full compliance with 12 key elements of the PCI Data Security Standard, but those have already been required, although compliance has been spotty. The verification audits are the new element for June 30, along with a series of potential fines—as much as $500,000—for those that don't comply.

Even Visa officials are not saying that full compliance with the June 30 deadline will have a material impact on reducing computer fraud, but that it's a start.

Are privacy solutions falling short? Click here to read more.

"It's going to be an ongoing process. We're raising the security bar. I'm sure PCI will evolve over the next months, certainly years," said John Shaughnessy, senior vice president of fraud management for Visa USA. "I don't think there's a single silver bullet anywhere on Earth. I don't think we've ever represented this as the be all and end all" for absolute security.

The PCI Data Security Standard is little more than a common-sense list of good security procedures and includes a firewall requirement and instructs retailers to "not use vendor-supplied defaults for system passwords" and "assign a unique ID to each person with computer access."

One major area of concern is retailers who store too much information, often to make transactions easier for themselves and for customers. Storing the non-raised three-digit cardholder verification number, for example, defeats the whole purpose of having such a number.

The security improvement effort—backed by Visa, MasterCard, Citigroup's Diner's Club, American Express and Morgan Stanley's Discover—has been pursued for four years with little success.

Visa is threatening retailers who miss this latest deadline with fines and "permanently" throwing the retailer off the credit card company's network, according to a Web site Visa created for retailers.

If a Visa retailer, for example, doesn't alert Visa to a loss of cardholder or any other security problem, the retailer faces a penalty of $100,000 per incident. Fines can also be issued "if a member knows or suspects a security breach with a merchant or service provider" and doesn't "take immediate action to investigate the incident and limit the exposure of cardholder data," according to the Web site.

Next Page: Impetus for crackdown.