SOURCE: nuBridges, Inc.

December 18, 2007 09:01 ET

Hundreds of Level II Merchants Facing Stiff Penalties

Level II Merchants Who Fail to Meet December 31, 2007 PCI DSS Compliance Deadline Need a Reliable Security Solution That Can Be Initiated Quickly

ATLANTA, GA--(Marketwire - December 18, 2007) - With the deadline for Level II merchants to comply with the Payment Card Industry Data Security Standard (PCI DSS) set for December 31, 2007, many may be facing stiff penalties from credit card companies.

"Credit card companies -- Visa, MasterCard, American Express, Discover and JCB -- are serious about protecting consumer credit card information, and the Payment Card Industry Data Security Standard they established includes clear requirements, deadlines and fines," said Gary Palgon, vice president of Product Management for nuBridges, a secure e-business solutions provider. "Level II retailers that are not going to be compliant by the deadline are looking for PCI compliance solutions that can be put into place quickly to help them either avoid fines altogether or, at least, minimize them."

For example, many of Visa's 720 Level II merchants -- those who have between one million and six million Visa transactions per year -- are facing the same penalties as its Level I merchants who missed the September 30, 2007 compliance deadline. On October 1, Visa began levying fines of $25,000 per month to U.S. merchant acquiring banks for each of their Level I merchants that had not validated PCI DSS compliance by the deadline. At the time of the deadline, 35 percent of Visa's Level I merchants were not compliant. To encourage merchants to secure customer credit card information, Visa also invested up to $20 million in an incentive fund payable to the acquiring financial institutions of the largest U.S. merchants who validated PCI compliance by August 31, 2007, and had not been involved in a data compromise.

"Taking the Visa example, if Level II merchants follow the compliance statistics set by its Level I merchants, there could be more than 250 Level II merchants who do business with Visa that will not have complied with the PCI DSS mandate by the end of the year," said Palgon. "To avoid paying sizeable penalties and take advantage of incentives, these merchants are looking for solutions that will enable them to become compliant as quickly as possible."

Palgon added, "It should also be noted that many Level I and Level II merchants that are already compliant, or will be by the end of 2007, have accomplished this by putting compensating controls in place." Compensating controls are temporary measures merchants can use to comply with PCI DSS. However, most "legitimate technological or documented business constraints" which enabled the use of the compensating controls for a first audit must be replaced with permanent solutions in order to pass subsequent PCI audits. Further, much like the PCI DSS 1.1 was more rigid than the 1.0 standard concerning compensating controls, companies need to be prepared to address open issues when the next version of PCI DSS is announced.

Obtaining and maintaining PCI DSS compliance is not easy for many merchants. According to a survey conducted by VeriSign® Global Security Consulting Services(1) in 2006, fewer than 30 percent of merchants -- even those with robust security in place -- meet the PCI DSS requirement in the first try. The leading cause for failure was the failure to protect stored data through encryption (79 percent). A follow-up survey(2) showed that 45 percent of merchants who failed a PCI audit in 2007 were still failing because they were not adequately encrypting data.

"Encryption is hard for merchants to do on their own, as is the associated encryption key management," said Palgon. "We developed nuBridges Data Secure to help retailers -- from the largest global Level I merchants to the smallest Level IV merchants -- comply with PCI DSS quickly and reliably. Once in place, nuBridges Data Secure not only provides foolproof encryption to protect data at rest, but it also manages encryption keys across the enterprise, which is a critical component of any company's PCI compliance strategy."

Palgon continued, "Level II merchants who know they won't meet the December 31st compliance deadline can dramatically reduce the penalties they'll pay to their merchant acquiring banks by adopting a solution like nuBridges Data Secure that can help them meet PCI DSS encryption requirements quickly and ensure they'll pass future PCI audits."

About nuBridges Data Secure

nuBridges Data Secure is a data encryption and key management solution. It is the practical answer to payment card industry (PCI) data security compliance, designed for rapid, non-disruptive implementation and audit-ready compliance. nuBridges Data Secure protects some of the world's most recognized brands.

About nuBridges, Inc.

Atlanta-based nuBridges, Inc. is the secure eBusiness authority. Thousands of companies worldwide use nuBridges software and services to connect electronically with business partners, protect information in transit and at rest, and comply with legislative and industry mandates for data security. nuBridges technology drives B2B transactions worth $884 billion every year. For more information on nuBridges, visit

(1)"Lessons Learned: Top Reasons for PCI Audit Failure and How to Avoid Them" by VeriSign® Global Security Consulting Services

(2)"More Lessons Learned -- Practical Tips for Avoiding Payment Card Industry (PCI) Audit Failure" by VeriSign® Global Security Consulting Services

Contact Information