Registration Regulation: PCI Compliance? Priceless

By Heidi Genoist -- Tradeshow Week, 3/20/2006

If you're a registration company, and you're not PCI-compliant, your days working in the tradeshow industry might be numbered. So say vendors that have their PCI ducks in a row.

PCI is the Payment Card Industry data security standard that major credit card companies use to protect customer account information transmitted over the Internet. Visa and MasterCard combined their respective in-house security requirements to establish the voluntary industry-wide standard in December 2004.

So, what does PCI compliance mean, practically speaking?

Companies that take online credit card orders — such as tradeshow registration providers — don't process payment information themselves. Rather, they send it through secure e-commerce gateways, which work with the credit card companies to verify and transmit information. Examples of gateways are VeriSign and PayPal.

Demanding PCI compliance is the credit card companies' way of ensuring that gateways are using secure and standardized procedures for taking, processing and storing their customers' sensitive information.

To attain and keep PCI-compliant status, companies have to demonstrate that their data-handling methods conform to the standard, defined by a dozen or so separate steps. Also, they must submit to regular audits by third parties that try hacking into their systems to see if they can get around firewalls and other security devices.

"A user that signs up has to comply with those standards or face a fine," said Paul McCaffray of CompuSystems, which achieved its compliant status last month. "In order to obtain this certification, we spent a lot of money to add firewalls and other safeguards."

McCaffray said auditors will notify PCI-compliant firms when they find problems. If a firm doesn't fix its problems, it faces fines and restrictions by the credit card companies.

But Mike Morton, CIO for Showcare, another PCI-compliant registration provider that uses VeriSign as its gateway, said a fine would be the least of his problems.

"Let's say VeriSign saw we hadn't passed our PCI (audit)," he explained. "I'd have to go to our clients like Reed (Exhibitions), VNU (Expositions), Advanstar (Communications), M¦C (Communications), and tell them we couldn't process any more of their transactions until we got it sorted out. They'd have to put registration for their shows that have thousands of attendees on hold."

The result would be devastating to his reputation, Morton said.

Participating credit card companies have given e-commerce merchants until June 30 to become PCI-compliant. Now that they've had some time to get used to the idea, the industry will start cracking down. Morton said he's been told that the next few months will see the creation of PCI blacklists, naming companies that don't conform.

"Any reputable registration company that wants to keep functioning will have to do this," he said.

Show management firm clients have begun including it in their RFPs for registration providers.

McCaffray estimated that CompuSystems annually handles $35 million to $40 million in exhibition registration fees. The credit card companies "have to have tight controls ... so there's no place to hide funds."

Arnie Roberts, president and CEO of Smart-Reg Intl., pointed out that there is vast potential for fraud in merchant accounts. Confusion arising from questioned or canceled charges and fees means "the charge-back potential is huge on the Internet," he said.

Although achieving PCI compliance might entail an investment in one's system, signing up for certification is not expensive. ScanAlert, the PCI auditor that Showcare uses, offers a PCI compliance package for $149. Morton said the company doubled the list of things it was already checking for Showcare — at no additional cost — to fulfill its PCI requirements.