SAN DIEGO — Retailers struggling to keep up with changing data security standards on payment card industry compliance need to realize that good compliance is simply a matter of good management, John Kirkwood, vice president and global information security officer for Ahold USA, said here.
“It's time to stop the insanity,” he told the National Retail Federation's NRFtech Summit 2007 conference. “Make PCI compliance a management priority rather than a compliance priority.
“Look at the requirements, figure out which are the most important and make sure key controls are in place. Then, as changes come up, simply adjust your programs.
“You won't be bulletproof, but you will have fewer and less severe problems.”
Ahold USA division Stop & Shop, Quincy, Mass., experienced a security incident in February when PIN-pad terminals at five Rhode Island stores and one Massachusetts store were tampered with. Arrests were subsequently made in the case.
PCI compliance standards have been in place since December 2005, with an update in September 2006, “and we'll probably see a third version shortly,” Kirkwood said. “And yet Visa reports only 36% of level 1 vendors [which process more than 6 million card transactions annually] are fully compliant.”
For failing to meet PCI compliance deadlines, Visa can impose fines on a retailer's bank, which can pass them on to the retailer. For example, under the latest Visa rules, banks that fail to get level 1 merchants to comply by Sept. 30 — or level 2 merchants to comply by year's end — risk fines of between $5,000 and $25,000 per month per retailer. (Level 2 retailers process between 1 million and 6 million annual card transactions.)
During his presentation, Kirkwood asked for a show of hands from the audience to indicate which companies were fully PCI-compliant, and when only a small number of people raised their hands, he said, “That's about what I thought. The problem is, a lot of companies are not sure what ‘compliance’ means, because they hear different explanations.
“At Ahold we're PCI-compliant, yet we talk all the time about what that means, so there are no hard and fast rules. The standards are like moving parts within moving parts, and a lot of people have told me they are frustrated with them and don't know how to proceed.
“But I don't think the problem is that people don't believe in protecting their information — it's just that it's hard to get their heads around it.”
Many companies have legacy systems that make compliance untimely or extraordinarily expensive, Kirkwood said, “and they ask me, why don't we just pay the fines rather than spend more than $1 million to be in compliance? But not all the cost is covered by the fine.
“When criminals take information, they are taking trust. So although you may not want to comply, consumers must feel companies are acting responsibly.”
Noncompliance is probably not an option, because compliance is a good business decision, Kirkwood pointed out.
“Visa said it will give companies who comply a break on transaction fees, which is a great carrot,” he said. Surveys indicate nearly all customers would return to a store if they knew their information was protected, whereas three-quarters said they would not go back if they knew a retailer had lost their information, he added.
“So compliance becomes part of the shopping decision,” he said.
Change is inherent in compliance standards, Kirkwood pointed out. “PCI was developed because of cardholder fraud. But the bad guys are changing, and the focus of PCI has to change. So if you have a risk management program in place, you will be able to put in the proper key controls.
“At Ahold, we have the ability to react quickly when we run into a problem, which results in a better outcome than some other companies have had,” he said.