Home > RSM Resources > Articles > Advantage > Risk Management > Credit card security standard makes sense for midsized companies

RSM Resources

Back to RSM Resources
Risk Management
Credit card security standard makes sense for midsized companies
 
Credit card security standard makes sense for midsized companies

Executives at the midsized convenience store chain Kwik Trip Inc.know that customer trust and business success go hand-in-hand.Therefore, complying with a security standard that the major creditcard companies mandate didn’t just make good regulatory sense, it madegood business sense.

Kwik Trip, a La Crosse, Wis.-based companythat operates 380 stores across Iowa, Minnesota and Wisconsin,processes several million credit card transactions each month. Thecompany recently completed an extensive two-year certification projectto shore up its data security and comply with the credit cardindustry’s Payment Card Industry (PCI) Data Security Standard.

"Certificationgives us a level of assurance that we are keeping the data safe," saysSue Brogaard, Kwik Trip network manager. "And now we can extend thatidea to our customers: When they use a Visa or MasterCard, theirinformation is safe."

The PCI standard is the result of a jointventure between major credit card companies American Express, DinersClub, Discover/Novus, MasterCard, Visa and Japan-based JCB. It aims toimprove merchants’ information-security processes and audit trails aswell as reduce identity theft and personal data misuse.

Allbusinesses that store card data on their own systems are subject to thestandard, although the specific requirements vary based on the numberof credit card transactions a company processes. Noncompliant companiesrisk incurring hefty fines or losing their right to accept major creditcards.

The following information will help you learn moreabout the complex and sometimes-confusing PCI requirements and help youdetermine what your company could or should do to comply.

Merchant levels

Whatyour company needs to do to achieve PCI compliance varies significantlybased on your "merchant level." The definitions of merchant levels andtheir associated requirements have changed since July 18, 2006. Thefour merchant levels are:

Level 1. Any merchant: thatprocesses more than 6 million Visa or MasterCard transactions per year,whose data has been compromised in the past year, or who anotherpayment-card brand has identified as Level 1.

Level 2. Any merchant that processes 1 million to 6 million Visa or MasterCard transactions per year.

Level 3. Any merchant that processes between 20,000 and 1 million Visa or MasterCard e-commerce transactions per year.

Level 4.Any merchant that processes fewer than 20,000 Visa or MasterCarde-commerce transactions per year, and all other merchants, regardlessof acceptance channel, that process up to 1 million Visa or MasterCardtransactions per year.

Not surprisingly, Level 1 merchants mustadhere to the most stringent rules to achieve PCI compliance andcertification. Requirements include an annual on-site data securityaudit conducted by a certified independent PCI auditor, as well as aquarterly network scan by an authorized vendor to identify potentialsystems configuration vulnerabilities.

Levels 2 and 3 merchantsmust complete an annual self-assessment questionnaire and conduct aquarterly network scan. While merchants at these levels do not have towork with an independent auditor, experts say companies might stillconsider hiring one for consultation as an added safeguard.

Level4 merchants have no requirements, only recommendations that theycomplete the annual self-assessment questionnaire and conduct thenetwork scan. However, again, experts urge all companies to err on theside of caution when customers’ private data and companies’ reputationsare on the line.

Why comply?

Although the PCIrules have been in place since June 30, 2005, Kwik Trip is still in theminority among Level 1 merchants that have achieved compliance.According to Visa, only about 22 percent of the largest merchants arePCI-compliant, although the company expects that number to risedramatically in the next year. Visa does not track the number ofcompliant lower-level merchants.

Faced with these compliancerates, some midsized business owners might be tempted to skipaddressing PCI compliance. But experts warn that such an approachultimately will carry risks.

According to a recent study bythe research firm Financial Insights, credit card fraud in onlinetransactions cost businesses almost $60 billion in 2005, and theproblem is only getting worse. Experts advise business owners to weighthe price of implementing new information-security systems and measuresnot only against the potential fees that noncompliance could incur butagainst the legal and financial toll of a potential security breach.They also should consider the cost of lost customer trust and a damagedcompany reputation.

According to Visa, complying with the PCI standard offers the following benefits to merchants and service providers:

  • Competitive edge
  • Increased revenue
  • Improved bottom line
  • Positive image
  • Customer protection

Additionally,Visa offers "safe harbor" to compliant merchants whose data iscompromised. In such cases, merchants that prove they were fullycompliant at the time of the breach would be protected from Visa finesand some of the negative publicity that can stem from "complianceexposure."

Getting started

How can yourcompany understand the path to PCI compliance? First, experts advisevisiting the PCI Security Standards Council at www.pcisecuritystandards.org,which provides forms, frequently asked questions and resourcesregarding the compliance process. The PCI Security Standards Councilalso maintains a list of the qualified security assessors and approvedscanning vendors. On Sept. 7, Visa, along with American Express,Discover Financial Services, JCB and MasterCard Worldwide, officiallylaunched the PCI Security Standards Council. This global standardsorganization will manage the ongoing evolution of the PCI data securitystandards as well as future PCI security standards. The www.pcisecuritystandards.orgWeb site will provide up-to-date information on the standards, such asthe newly released version 1.1 of the PCI data security standards.

Onceyou have a firm grasp of the requirements, begin to determine whatsteps your company needs to take to comply. For Kwik Trip officials,closing the gap meant creating an internal, six-person team to documentprocesses and procedures, develop emergency contingency plans, updatetechnical infrastructure, and work with external auditors.

"Itmakes us feel pretty good that we dug down and did what needed to bedone to become compliant," Brogaard says. "It was a lot of work, but Ido believe, in the end, it was well worth it."
RSM McGladrey Inc. and McGladrey & Pullen LLP have an alternative practice structure. Though separate and independent legal entities, the two firms work together to serve clients’ business needs. RSM McGladrey is not a licensed CPA firm.

RSM McGladrey Inc. is a member of RSM International - an affiliation of separate and independent legal entities.

2007 RSM McGladrey Inc. All Rights Reserved. Contact us toll-free at 800.274.3978