If you are a retailer, what do you do with the transaction records containing your customers' payment card numbers? Do you keep the paper slips secure? Do the details pass electronically to a customer management file on your central system? Have your staff all signed statements to say they have read your store security policy? Do you know the answer to any of these questions?
For most retailers - both large and small - the responses to these queries are often unknown. But if they are to avoid being fined, retailers need to find the answers quickly.
TK Maxx's problems with its customers' card data may have hit the headlines last month, but they began in January this year when its US parent company TJX revealed a major security breach involving customer data in its North American operations. Initially it believed its computer system had been hacked into some time between May 2006 and January 2007, but subsequently discovered malicious attacks in July 2005 and on subsequent dates that year, as well as problems at US, Canadian and Puerto Rican stores from January 2003 to June 2004.
Originally a few million cards - including some from the UK - were said to be involved, but TJX later confirmed that 45.7 million card details had been stolen. An additional problem for the retailer was that it had been collecting and storing US and Canadian driving licence details in a bid to confirm shopper identities to prevent fraudulent refunds. Some of this data also seems to have been stolen, and since January this year there have been reports of TJX's North American customers reporting identity theft.
Although the TJX case has been particularly high profile, similar security breaches are commonplace and often go undetected or unreported. In the US it is mandatory to make such security breaches public, but this is not the case in the UK. Largely due to pressure from the US, card scheme operators - including Visa and MasterCard - have developed a security standard to stop retailers storing payment card information unnecessarily. If they do keep cardholder data, it must be safe from hackers.
Like all standards, the Payment Card Industry Data Security Standard (PCI DSS) has had a long gestation. In theory it has been mandatory for large retailers since September 2004, but inevitable problems and standard amendments have made the scheme operators relaxed about implementation. But that is set to change, with a deadline for compliance of June this year.
Failure to comply could result in hefty fines. In the US, Visa is charging merchant acquirers - the financial institutions such as banks that offer credit card accounts - US$10,000 (£5,025) a month if larger retail customers are storing certain types of card data unnecessarily. If they are still in breach of the rules by June, the fines will increase to US$50,000 (£25,125) and to US$100,000 (£50,250) a month from December. MasterCard has already imposed similar fines. Merchant acquirers are unlikely to tolerate such rogue behaviour from retailers and may either refuse to process card transactions or pass on the charges.
Compliance can be a long, complicated and expensive process, so it is not surprising that UK retailers have been dragging their feet. Last autumn a survey by The Logic Group, which manages customer data and transactions for businesses across Europe, suggested that only 3% had achieved full compliance, although 85% had by then heard of PCI DSS and 52% had gone as far as completing a risk assessment of the impact of non-compliance.
By the start of this year the situation was little better. CyberSource's annual survey of online retailers - a target group for early compliance - found 40% had no intention of achieving compliance and only 36% had started the process. Current estimates about the number achieving compliance are more optimistic, at about 15% to 20%, but are still worryingly low.
"Today, I'd say most tier-one retailers (see box) are well down the road to compliance," says Geoff Clark, client services director at IT provider Retail Assist. "Very few tier-two retailers have started, and as for tier three, they probably have no one to deal with compliance and will just be hoping they don't get caught."
Clark says meeting the standard will not be easy for many businesses. "A lot of retail systems were never designed for this level of security, and knowledge of the way data moves through a mass of applications and spreadsheets has been lost in the mists of time," he explains.
Lack of PCI DSS compliance is a sensitive issue for retailers and few have said they can meet the rules. Harrods IT director David Llamas is typical in saying the company has completed its risk assessment and is now working out what IT changes are needed.
At Mosaic Fashions, business development director John Bovill is at a similar stage. The company has carried out a preliminary risk assessment and identified compliance options, and has also appointed external project managers and scheduled an audit by a qualified security assessor (QSA) as required by PCI DSS rules. "A number of our recent implementations are of PCI DSS-compliant products, but they will still be subject to the group QSA audit," says Bovill.
Cardholder data typically moves from the retailer's EPoS to a central storage system in case of queries, but has also been used by some retailers to augment loyalty and customer management programmes by tracking payment card and purchasing patterns. This can be a major issue.
"Many of our customers have been amazed at the number of places where card data has turned up," says The Logic Group marketing director Mark McMurtrie. "They are having to rethink business needs and redesign their systems."
Payment systems consultant Mike Hendry adds: " Mid-sized retailers' systems have often been put together by people who are not payments specialists, so much more card data is often stored than is necessary."
Like Chip & PIN, PCI DSS involves hefty IT investment for no obvious return or benefit for the retail organisation. Industry experts talk of potential £1 million-plus bills for tier-one retailers and six-figure sums for smaller players. As a result, many boards have adopted a wait-and-see approach, deferring any investment in achieving compliance until they have a security breach and face strictures and/or fines from the card operators. For a large retailer, a PCI DSS compliance programme could easily take two years to complete, so many stand little chance of meeting the June 2007 deadline.
But McMurtrie warns against this approach. "There has to be a risk assessment that goes beyond basic IT issues, because the key risk area has to be damage to brand reputation. Other retailers could suffer the same fate as TK Maxx."
The level of fines could be another important driver for action. Contributors to payment industry blogs and internet forums, who usually describe themselves as retail IT managers, are increasingly trying to find the likely cost of non-compliance. Several suggest this could provide the lever they need to persuade boards to invest in PCI DSS compliance projects.
Retailers' reluctance is in part due to the perceived lack of any benefit, but it is not helped by the fact that UK companies can keep such problems hidden. In the US, where security breaches must be made public, they can have a direct impact on share price and consumer confidence - a good incentive for US retailers to pay to achieve compliance.
"In the US, all the major retailers are now compliant," says Mike Hendry. "In Europe it's different. The Scandinavian acquirers are proactive in persuading retailers to speed up their projects, but in the UK and Germany timing is still an issue."
Keeping cardholder data secure is universally acknowledged as good practice, especially as identity fraud continues to increase. But the time and costs involved could mean this ideal is a long way from being achieved in the UK.
COMPLIANCE - WHO DOES IT AFFECT?
Systems for monitoring and confirming compliance to the PCI DSS standard vary depending on a retailer's size and type. Those with more than six million Visa or MasterCard transactions each year across all channels (tier 1 merchants) must have an annual audit by a security assessor, plus a quarterly inspection by an independent vendor to check on continued compliance.
Online retailers with between 150,000 and six million card transactions a year (tier 2) must fill out an annual self-assessment confirming they comply to all the requirements and sub-clauses, and must also have the quarterly inspection.
Tier 3 merchants are online retailers with 20,000 to 150,000 card transactions a year. They have to meet the same criteria as tier 2 traders.
Tier 4 covers any other retailer, regardless of size or operating channel. They should complete the self-assessment and have an annual inspection.
An independent fashion retailer without a transactional website would therefore be included in tier 4, whereas one with a website processing about 400 or more card payments a week would be tier 3. A larger chain with a website handling about 3,000 card transactions a week would be in tier 2.
The tiers are significant, as they reflect how likely card companies would be to demand compliance - the bigger the operation, the more cardholder data can be hacked into. Initial focus is on ensuring compliance among tier 1 and 2. In the US, these are the groups that face Visa fines for non-compliance.
Small operators may find their acquirers are more tolerant. However, they will need to complete self-assessments, even if - as Geoff Clark suggests - they have little idea of the implications of the questions asked.
- See www.pcisecuritystandards.org for more information.