Common Sense Standards

So merchants have little choice. But how good is the standard and how bad are the obstacles to achieving the sought-after verification? Hans Keller, CTO since 1999 of the National Aquarium in Baltimore, says that most of the requirements are common sense. "A lot of pieces of PCI are things you should be doing." The PCI council's Russo concurs. "There really isn't anything mysterious about these standards. They are all security best practices."

Those who gritted their teeth over earlier standards, such as Visa's Account Information Security and Cardholder Information Security Program, or MasterCard's Site Data Protection—and who then found the first version of the PCI security standard confusing—should at least find the latest incarnation much improved. Russo says that among the issues solved by version 1.1 are inconsistencies in terminology and language. For instance, words like the vague "periodically" and "regularly" have been replaced with specifics, such as annually, quarterly and monthly . Other changes ironed out distinctions between cardholder data, which merchants store and must protect, and data so sensitive that it should never be stored.

Implementation Challenges

Neat as that sounds, don't put away the aspirin yet. Unless you run a large business, you'll face several implementation challenges.

1. Tight budgets. While larger companies (which PCI calls Level 1) often have dedicated security resources, midsize merchants may find themselves in that jaw-clenching budget bind.

2. Complex environments. Cathy Hotka, a retail technology consultant, says even mid-market merchants may be running more than 500 applications at a time in "highly customized environments with hand-written code" that has been around for years. Old code is often poorly documented, and even small changes are complicatedâ¬just as they wereto fix the Y2K bug. The DSS standards are more comprehensive than replacing two-digit years with four-digit years, and they constantly change. Hotka compares complying to PCI with "fixing the windshield of a plane while it's in the air."

3. Conflicting interpretations. Individual auditors may interpret the rules differently. "The auditor you bring in today will tell you something different than the auditor you bring in next week," says The National Aquarium of Baltimore's Keller. Disagreements can arise over the proper way to divide up networks and secure them with firewalls.

How One CIO Is Meeting the PCI Compliance Challenge

Though it qualifies as a small merchant, The National Aquarium in Baltimore (which earns about $40.5 million in annual revenue) has encountered most of these mid-level difficulties. Reporting to the CFO, Keller oversees an IT staff of 10. He's responsible for application development as well as support for 500 users and 300 PCs. Keller devotes approximately one percent of his annual $2.5 million IT budget to PCI compliance. (Editor's note: This story was updated on Dec. 14, 2007 to remove incorrect information. Read the correction.)