November 2007
Overview Safeguarding customer data is a necessary component of good business practice, yet the numbers of data breached accounts are at an all time high. Data security has not been given front line priority, and as a consequence an environment of mistrust of the card eco-system has developed among consumers, merchants, acquirers, and issuing banks. To stem this tide, the payment networks have responded with a renewed emphasis, harsher penalties, and more specific deadlines for Payment Card Industry Data Security Standards (PCI DDS) compliance. Merchants are spending untold amounts to come into compliance, and many are confused as to the value of PCI compliance above and beyond fine avoidance. This report explores the challenges and issues presented by PCI compliance from the merchant perspective including the five biggest compliance problems causing data breaches for merchants extracting from qualitative executive interviews conducted with the PCI council, payment networks, PCI vendors, Qualified Security Assessors (QSAs), and merchants themselves. Primary Questions What is the real value of PCI compliance, aside from avoiding fines? What role does state legislation have in PCI compliance? What is the nature of merchant confusion with the PCI compliance process, and who is responsible for allaying this confusion? How can merchants be assured of safe harbor from lawsuits based on their compliance? What are the top five security weaknesses facing merchants becoming compliant? Are there any innovative approaches to help merchants deal with sensitive data storage? Audience: Authors: Merchants, processors, QSAs, ASVs, service providers, vendors, financial institutions (FIs) issuers and acquirers, and payment networks Rachel Kim, Associate Analyst Mary Monahan, Partner and Editor Bruce Cundiff, Research Director Publication date: November 2007 Price: $1,500 Length: 26 pages 15 charts/graphs
Table of Contents Overview...3 Primary Questions...3 Findings and Analysis...3 What Is the Real Value of PCI Compliance?...4 Consumers Will Reward Security Leaders, But How to Tell?...6 Consumers Prefer a PCI-Brand to Help them Feel Safer When Shopping... 7 Safe Harbor Needed to Ensure Conformity and Effectiveness for Merchants...8 What Do State PCI and Data Breach Laws Imply for Merchants?... 8 Is Effective QSA Management a Missing Link in the PCI Compliance Process?...11 Even with Progress in Outreach and Education, Merchant Confusion Lingers...13 Despite Strong Improvement, All Payment Networks Must Be Actively Involved...15 The Cost of Is it Worth the Expense?...16 What Are the Five Top Weaknesses for Merchants Facing Compliance?...18 Highly Distributed, Sensitive Data,... 18 Data Controlled by Third Parties or Taken Off-Site... 18 Problems at the POS... 19 Legacy Systems and Niche Applications Bring Heightened Risk... 19 Lack of Logging and Oversight... 19 Innovative Approach: Eliminate Storage and Passage of Card Information...20 Standing PCI Compliance on its Head... 20 EPX BuyerWall... 20 Shift4 s SafeSwipe... 20 Where Is PCI Compliance Heading in 2008?...21 Merchant Questions Linger over PCI DDS 6.6... 21 Payment Application-Data Security Standard (PA-DSS)... 21 Appendix...22 Related Research...24 Glossary...25
Table of Figures Figure 1: Top Ten Largest Publicly Reported Security Breaches... 4 Figure 2: Consumers Are More Inclined to Shop at merchants that Are Security Leaders... 6 Figure 3: Consumers Feel Most Protected by a Brand When Shopping... 7 Figure 4: Current PCI State PCI Bills and Outcomes for Merchants... 8 Figure 5: Payment Networks Are Managing their Acquirers, Acquirers Are Managing their Merchants: Who Is Managing the QSAs?... 11 Figure 6: Inconsistencies among PCI Programs and the Lack of a Universal PCI Support Center Are Preventing Higher Compliance Rates... 13 Figure 7: Slow but Steady Progress in Compliance Rates for Visa Merchants... 15 Figure 8: Compliance Costs for Level 1 or 2 Merchant... 16 Figure 9: Costs of Non-Compliance for Level 1 or 2 Merchant... 16 Figure 10: Compliance Costs/Steps for a Level 4 Merchant... 17 Figure 11: Which Cardholder Data Elements Can Be Stored under PCI Compliance Rules?... 18 Figure 12: Payment Application-Data Security Standards (PA-DSS) Timeline... 21 Figure 13: Consumer Viewpoint: Who Is Least Secure in Protecting Account Information?... 22 Figure 14: Definitions of Merchant Levels One to Four... 23 Figure 15: Visa PCI Compliant Merchants as of August 31, 2007... 23
Companies/Organizations Mentioned in Report America Online MasterCard American Express National Retail Federation CardSystems Shift4 Chase Paymentech Symantec Citigroup TD Ameritrade Dai Nippon Printing Company TJX Companies Data Processors International TrustWave Electronic Payment Exchange UPS Fidelity National Information Services US Department of Veteran Affairs KDDI Visa Sample Pages
Health Savings Accounts: Focus on Transactions and Product Development Will Lead to Asset Growth Target Place Your Order as Follows: 1) Call us at 925 225 9100, x26 2) Email us at 3) Fax or Mail using the form below: Please send me the following report(s): Report Title Publication Date Price Name Title Organization Division or group Email Phone Fax Address Signature to confirm your order: Payment Method: [ ] Payment card [ ] Check Enclosed [ ] Invoice me Visa, MC, AE or Disc. card #: Exp date: / Name on Card: Signature For invoicing, provide PO number: (Invoicing is available to financial institutions or publicly owned firms) Note: Reports are provided in electronic PDF form only. Javelin reports are subject to standard terms and conditions, as described on our web site. Javelin will contact you in the future to provide our free research newsletter or other mailings. If you do not wish to receive our newsletter or other mailings, you may advise us of this. Your contact information will not be sold to other organizations.