Digital Transactions Authoritative, insightful and timely information for payments professionals
With compliance deadlines already passed for some merchants and looming for others, the Payment Card Industry data-security standard (PCI) has drawn a bevy of vendors into the market to help merchants cope with one or more of its dozen requirements. Now the biggest vendor yet is jumping in. IBM Corp. on Thursday announced a sweeping program it says is the only one available that can help clients reach compliance with all of PCI's mandates, including some 200 so-called subrequirements. The service includes PCI assessments as well as remediation and help with year-to-year compliance. “We think we are unique in the marketplace,” says Phil Kibler, director of global security and privacy services at the Armonk, N.Y.-based technology giant. Backed by all of the general-purpose card networks, PCI includes requirements such a security scans, data encryption, firewalls, antivirus programs, and frequent password revisions. It applies to any business that handles credit and debit card information. Deceptively straightforward, the standard has proven to be complex in administration and difficult for merchants to comply with. Visa USA last week said 65% of all so-called Level 1 merchants, the largest retail companies, had achieved compliance. Rates for smaller merchants are lower. At the same time, merchants confront deadlines for compliance. Level 2 merchants must prove compliance by Dec. 31, while the deadline for Level 1 merchants was Sept. 30. Failure to meet these dates can trigger fines and interchange penalties. “This is really coming to a head,” Kibler says. “I don't think Visa [and the other card networks] are going to back off on the fines or on the requirements.” Kibler says IBM timed the introduction of its new program to give Level 2 merchants a hand with their impending deadline. At the same time, he says, the program could still help some Level 1 clients that have not yet been able to show compliance. All clients will also need to revalidate compliance each year, an often underestimated step. “The main thing I'm concerned with is the lack of appreciation of how hard it is to achieve PCI compliance and how hard it is to maintain compliance,” Kibler notes. Though IBM holds a commanding market share in retail point-of-sale systems, its entry into the PCI compliance business comes about as the result of a trio of acquisitions the company has made over the past 12 months. Last October, IBM picked up assessor expertise with its purchase of Atlanta-based Internet Security Systems Inc. In January, it acquired Consul Risk Management International, a Dutch company whose software analyzes computer logs to assess vulnerabilities. And in July IBM bought Watchfire Corp., a Waltham, Mass.-based provider of software that assesses the vulnerability of application software, a move that also positions the company to deliver services related to the Payment Application Best Practices, a guideline for which Visa last week issued a separate series of compliance deadlines (Digital Transactions News, Nov. 1). “It's fair to say before [these acquisitions] we were dabbling, we weren't a serious player in the PCI space,” says Kibler. “Now we're very serious.”
