PCI Going Global

By Abigail A. Lorden

I was vacationing recently at an upscale U.S.-brand resort in a popular Mexican tourist city. The sun was warm, the water was aqua blue, and the view from my room was perfect. I had all but checked out of "work mode," when it happened. The woman at the front desk pulled out a zip-zap machine, those clunky old units that imprint your credit card number on carbon paper. There is now a piece of paper in a drawer in Mexico with my credit card number and name smattered across it.

In those few moments, I was torn; do I ignore this interaction and pretend it never happened, or do I take time out of my coveted vacation to ponder global compliance with the Payment Card Industry Data Security Standard? As you can see, the editor in me beat out the beach bum.

Although U.S. merchants have been focused on PCI Compliance for the past several years, the zip-zap machine is still alive and well across the globe. But PCI Compliance isn't just a U.S. initiative. Visa announced last November that Level 1 merchants operating overseas must prove adherence by September 30, 2010. By the same date in 2009, Visa will require that Level 1 and 2 merchants do not retain sensitive payment card data, such as full magnetic stripe information.

On the home front, PCI Compliance continues to bring its challenges. In the 2009 Restaurant Technology Study, 67.5 percent of responding restaurant operators indicate that their company is fully compliant with the standard. This number actually declined from 79.8% in 2008. In all likelihood, the drop in compliance has more to do with a better understanding of the requirements and more accurate self-assessment than an actual reduction in compliance. In either case, until September 2010, I'll pay with pesos next time I'm in Mexico.