How secure is card payment tech?

Nation's Restaurant News,  Oct 8, 2007  

• E-mail
• Print
• Link

Restaurant operators continue to feel the heat as the payment card industry and lawmakers continue to serve up mandates aimed at protecting customer data. One such mandate is the Payment Card Industry Data Security Standard, or PCI DSS, introduced by the PCI Security Standards Council, an organizational body that comprises the flue major flue card associations--American Express, DiscoverCard, MasterCard, Visa and JCB.

The standard, which does not replace requirements of individual associations, calls for retailers of all sizes to ensure that their transaction and data storage systems are secure. By year-end, all entities that accept credit cards are expected to be following 12 requirements to guard against data theft, including the use of firewalls, message encryption, access controls and antivirus software. For instance, PCI DSS mandates that companies assign a unique ID to each person with computer access and that users cannot rely on vendor-supplied defaults for system passwords. A compromise of customer information sparked by a failure to comply with the mandates will expose operators to fines levied by the credit card companies, as well as opening operators up to possible liability toward banks and other financial institutions for customer notification and card reissuing costs.

"What PCI DSS is doing is making sure that merchants and their service providers are protecting cardholder data. It's not an outrageous goal," said John Pescatore, vice president and fellow at Gartner Group, a technology research firm headquartered in Stamford, Conn. Pescatore noted that although the PCI assessment procedure is less demanding for Level III merchants, defined by Visa and MasterCard as processing between 20,000 and 1 million transactions per year, and Level IV merchants, which process fewer than 20,000 transactions per year, the cost of compliance is still significant. (Level I merchants are those that process more than 6 million transactions per year and/or have already experienced a data security breach; Level II merchants, those that process 1 million to 6 million transactions annually.) For example, the latest version of the standard--Version 1.1--requires that Level III and Level IV merchants fill out an annual self-assessment questionnaire and conduct quarterly network vulnerability scans, performed by an approved vendor.

Pescatore put the average cost for smaller companies to comply--including hiring a consultant and making sure the vulnerability assessment is done correctly--at a minimum of 545,000. However he deemed such an expenditure to be minimal compared with the cost of a breach. For instance, if a midsize company exposes data on 100,000 accounts, the impact cost per account is 5100 to $200. "You could end up spending $10 million in recovery costs, such as notifying customers and reissuing cards" Pescatore said.

Not long ago, casual-dining restaurant operator Ruby Tuesday Inc., of Maryville, Tenn., made a push for PCI DSS compliance by commencing to perform AES data encryption its more than 900 company-owned stores. Credit and debit card data-handling routines also have been altered, and scripts supported by the chain's Micros Systems RES 4.0 point-of-sale software have been modified. Both Nick Ibrahim, Ruby Tuesday's senior vice president and chief technology officer, and Micros officials said the point-of-sale system is PCI DSS compliant.

Ruby Tuesday made the changes even before it was required to do so. "The expenditure," Ibrahim said, although he declined to quantify it, "was worth keeping us out of the headlines."

Such efforts notwithstanding, neither the PCI Security Standards Council--the organizational body that issued the security standard and that was founded by the five major card associations--nor the associations themselves believe significant progress is being made toward PCI DSS compliance. "All merchants are required to comply with PCI DSS or face fines," stated Rob Tourt, vice president of network services at Discover. Yet adoption of PCI DSS is not widespread among any group of merchants, and foodservice operators are no exception, according to Tourt and other sources.

Recent developments point to stepped-up efforts to turn the tide. Notably, in addition to approximately 200 detailed network and physical security requirements, the council aims to turn into the norm for protecting payment card information, PCI DSS Version 1.1 incorporates provisions for "compensating controls." Such controls permit merchants to propose alternative solutions for meeting a given requirement set forth by the standard--for example, making cardholder data unreadable-if they cannot reasonably meet that requirement.

According to PCI Security Standards Council chair Seana Pitt, who also serves as vice president of merchant policy and data quality at American Express, the "compensating controls" allowance should ease some of the reluctance among smaller merchants and/or those with older systems by affording them leeway to grapple with technical or business obstacles to compliance rather than ignoring them until the prospect of punishment for noncompliance becomes inevitable.