The deadline is also for full compliance with 12 key elements of the PCI Data Security Standard, but those have already been required, although compliance has been spotty. The verification audits are the new element for June 30, along with a series of potential fines—as much as $500,000—for those that dont comply.
Even Visa officials are not saying that full compliance with the June 30 deadline will have a material impact on reducing computer fraud, but that its a start.
"Its going to be an ongoing process. Were raising the security bar. Im sure PCI will evolve over the next months, certainly years," said John Shaughnessy, senior vice president of fraud management for Visa USA. "I dont think theres a single silver bullet anywhere on Earth. I dont think weve ever represented this as the be all and end all" for absolute security.
The PCI Data Security Standard is little more than a common-sense list of good security procedures and includes a firewall requirement and instructs retailers to "not use vendor-supplied defaults for system passwords" and "assign a unique ID to each person with computer access."
One major area of concern is retailers who store too much information, often to make transactions easier for themselves and for customers. Storing the non-raised three-digit cardholder verification number, for example, defeats the whole purpose of having such a number.