AP: Weak Security Opens Door To Credit Card Hacks

Avivah Litan, a Gartner Inc. analyst, says retailers and payment processors have spent more than $2 billion on security upgrades to comply with PCI. And the payment industry touts the fact that 93 percent of big retailers in the U.S., and 88 percent of medium-sized ones, are compliant with the PCI rules.

That leaves plenty of merchants out, of course, but the main threat against them is a fine: $25,000 for big retailers for each month they are not compliant, $5,000 for medium-sized ones.

Computer security experts say the PCI guidelines are superficial, including requirements that stores run antivirus software and install computer firewalls. Those steps are designed to keep hackers out and customer data in. Yet tests that simulate hacker attacks are required just once a year, and businesses can run the tests themselves.

"It's like going to a doctor and getting your blood pressure read, and if your blood pressure's good you get a clean bill of health," said Tom Kellermann, a former senior member of the World Bank's Treasury security team and now vice president of security awareness for Core Security Technologies, which audited Google's Internet payment processing system.

Merchants that decide to hire an outside auditor to check for compliance with the PCI rules need not spend much. Though some firms generally charge about $60,000 and take months to complete their inspections, others are far cheaper and faster.