A Growing Movement of PCI Compliance

The Payment Card Industry Data Security Standard (PCI DSS) was developed by the major payments firms­­—American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa—as a common set of industry tools for organizations to follow to ensure the safe handling and protection of consumer’s sensitive information.

The standard encompasses both technical requirements as well as testing methodologies and includes requirements for security management, policies, procedures, network architecture, software design and other protective measure.

Compliance to PCI requires merchants and service providers to meet twelve specific requirements designed to build and maintain a secure network, protect cardholder data, and ensure the maintenance of vulnerability management programs. The standard also covers the implementation of strong access control measures, regular monitoring and testing of networks, and ensuring the maintenance of information security policies are included.

As of December 31, 2007 the percentage of Level-1 merchants – those that conduct more than $6 million annually in Visa transactions – that had attained PCI compliance reached 77 percent, up from 65 percent at the end of the third quarter.

Of Visa’s Level-2 merchants – those conducting between $1 million and $6 million annually in Visa transactions – 62 percent had reached PCI compliance by the end of 2007, up from 43 percent at the end of the third quarter. Overall from July of 2007 to December, compliance among Visa’s level-1 and 2 merchants grew by 33 percent.

But many smaller merchants aren’t falling into line in meeting PCI standards, primarily because compliance can cost anywhere from tens of thousands to millions of dollars, depending on an organization’s size. Some of these smaller merchants continue to work with the National Retail Federation (NRF) to oppose PCI, arguing the cost burden is prohibitive.

David Hogan, the NRF’s chief information officer, recently sent a letter to the PCI Security Standards Council, expressing that parts of the standards were only necessary because credit card companies require merchants store card numbers for retrieval requests in the case of merchandise returns.

Hogan proposed that merchants instead should be allowed to store authorization codes and a truncated receipt of sale, to bypass the costs and complexities of the PCI encryption requirements.

Despite this push-back by smaller merchants, the trend towards PCI remains unabated as companies such as Visa, the largest U.S. payment system, have begun to enforce compliance to the standard by levying monthly fines on non-compliant merchants.

The steady adoption of PCI will continue to produce questions of the standard’s potential impact on the ARM industry. As more credit grantors begin requiring PCI of their service providers, agencies servicing credit card debt will need to remain mindful of the trend’s evolution.

Many larger agencies have already become PCI compliant as a default for doing business with creditors while other agencies recognize that PCI will soon become an issue for all service providers. Further development towards broader ARM industry acceptance and compliance with PCI will prove as much of an issue for smaller agencies as for smaller merchants, with costs as the main point of contention.

Accounts receivable management as an industry is heavily regulated and compliance with federal statues such as Gramm-Leach-Bliley and the Fair Debt Collection Practices Act, along with numerous state level requirements, already puts cost pressure on smaller agencies. The potential addition of PCI as a standard requirement brings up the possibility of smaller agencies being unable to comply.

Whatever the eventual impact of PCI on the ARM industry may turn out to be, it is clear that legislative change may soon play a larger role in pushing the importance of PCI compliance for the financial service industry.

Proof of this can be found with the introduction of bills at the state level that codify specific PCI requirements, with the Plastic Card Security Act (Minnesota Statute E356E.64), and Texas HB 322 as two examples. Minnesota in July 2007 became the first state to codify a portion of the PCI standard by enacting the Security Act, while the Texas proposal awaits action from its Senate after being passed by its House.

Whether or not legislative action continues to proliferate among the states or action is taken to the federal level, PCI is certain to continue making headlines in 2008.

Dimitri Michaud analyzes trends in strategic receivables management within the consumer finance sector, including the banking, credit card and mortgage markets. He conducts research, writes publications and hosts a regular blog on insideARM.com for Kaulkin Media.