THIS STORY HAS BEEN FORMATTED FOR EASY PRINTING

Visa says most stores now comply on security

Payment processor issuing fines when retailers don't upgrade

Email|Print|Single Page| Text size + By Ross Kerber
Globe Staff / February 9, 2008

New figures from Visa Inc. show more merchants meeting security standards for processing customer payment cards, but suggest many are still vulnerable to threats from hackers.

In a recent statement on its website, Visa, the San Francisco payment card processor, said 77 percent of the largest US merchants met security standards as of Dec. 31, up from 12 percent in March 2006.

Among midsize merchants, 62 percent met the standards, up from 15 percent at the end of 2006, Visa said.

Visa also said it has begun to issue fines as high as $25,000 a month when stores fail to measure up, though consultants say the network also has granted waivers to some chains.

For instance, court filings show it extended the deadline for TJX Cos., the big Framingham retailer that was targeted in what became the biggest US data breach in history.

Together, the statistics paint a mixed picture of payment security, which has become a topic of growing importance to consumers in the wake of the TJX theft.

Also some retail consultants said Visa's figures may be rosier than reality, reflecting the complexity of upgrading older networks that tie together thousands of stores.

A survey of 174 merchants finished in November by Retail Systems Research of Miami showed only about half said they met the standards, said Steve Rowen, an analyst with the firm in Charlestown. "The numbers don't jibe," he said.

The situation is difficult for Visa because of deadline extensions it has granted in the past, Rowen said.

"I think they've done a good job, but every time they blink or change the deadline it encourages retailers to adopt more of a wait-and-see approach" instead of spending to upgrade their systems, he said.

Spokesmen for Visa said the company wouldn't discuss fines or extensions and executives wouldn't grant interviews. In a statement dated Jan. 22, Michael Smith, Visa's head of payment system risk, said Visa is pleased with merchants' progress, but added, "There is still more to accomplish."

Only a few large merchants, including TJX and Wal-Mart Stores Inc., have said publicly they now meet the standards, which spell out details about how stores and restaurants must handle consumer information like payment account data. With other payment networks, Visa had told the 326 largest merchants that handle more than 6 million Visa transactions a year they were supposed to meet the standards by Sept. 30, and set a Dec. 31 deadline for the 709 midsize merchants, which handle 1 million to 6 million transactions.

Brian Riley, analyst for Needham consulting company Tower Group, said the figures are impressive given the complexity of the work facing many merchants. It is also significant that Visa mentioned the fines it has begun to impose on banks that process transactions for merchants that don't measure up, Riley said, though in practice Visa generally grants companies waivers if they are making a real effort to improve compliance.

Visa has declined to discuss fines it says it issued, but some details emerged in litigation in federal district court in Boston brought by banks against TJX last year. One filing showed that Visa had issued $880,000 in penalties against Fifth Third Bancorp of Ohio, which handled TJX customer transactions. Under their contracts, Visa and other payment networks usually can't fine merchants directly.

In separate claims brought by another bank against Fifth Third, the Ohio bank stated in a court filing that it told Visa and MasterCard that TJX didn't meet the security standards, but that "after receiving such reports Visa granted TJX an extension of the deadline for reaching full [security] compliance, to Dec. 31, 2008."

Visa and Fifth Third declined to discuss this filing.

A TJX spokeswoman said security matters are overseen by vice chairman Donald Campbell, who declined to be interviewed, but said in a statement yesterday that the company now meets the standards "in advance of many other large retailers, and in advance of its previously authorized timeline."

Ross Kerber can be reached at kerber@globe.com.

© Copyright 2008 Globe Newspaper Company.

more stories like this

  • Email
  • Email
  • Print
  • Print
  • Single page
  • Single page
  • Reprints
  • Reprints
  • Share
  • Share
  • Comment
  • Comment
 
  • Share on DiggShare on Digg
  • Tag with Del.icio.us Save this article
  • powered by Del.icio.us
Your Name Your e-mail address (for return address purposes) E-mail address of recipients (separate multiple addresses with commas) Name and both e-mail fields are required.
Message (optional)
Disclaimer: Boston.com does not share this information or keep it permanently, as it is for the sole purpose of sending this one time e-mail.