PCI Compliance: What Retailers Must Know

Protecting customers’ sensitive information is the most important obligation in the retail industry. If retailers accept credit card payments, they need to take steps to ensure that credit and debit card information is always stored, processed, and transmitted securely.

The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle credit cards. PCI standards were created as a way to ensure that retailers have greater control over sensitive credit card information in their possession and take steps to prevent data theft and fraud.

Any business or retailer that handles credit card information is required to be compliant with the PCI standards, and the penalties for non-compliance are severe.  Banks and other financial institutions may impose penalties from $5,000 to $500,000 on non-compliant organizations. Perhaps even worse, the acquiring bank may choose to revoke the merchant’s ability to accept credit cards, which would be a crippling strike for many retailers.  In order to avoid fines, prevent damage to company reputation, and to improve trustworthiness among customers, it is important for retailors to take PCI standards seriously.

Credit card companies such as Visa and MasterCard, which make up the PCI Security Standards Council, have defined four different PCI compliance levels for merchants. The level that a retailer is assigned is determined by its yearly transaction volume. In addition, companies that have suffered a data breach resulting in compromised credit card information may be moved to a higher level.

The four levels of PCI compliance are:

• Level 4: Retailers who process less than $20,000 in yearly e-Commerce transactions.
• Level 3: Retailers who process between $20,000 and $1 million in yearly e-Commerce transactions.
• Level 2: Retailers who process between $1 million and $6 million in yearly e-Commerce transactions.
• Level 1: Retailers who process more than $6 million in yearly e-Commerce transactions.

Retailers at all levels must meet the requirements of the PCI standards, but smaller merchants face fewer validation requirements. For example, small Level 4 retailers are required to complete a yearly self-assessment questionnaire, as well as have an approved vendor perform a network scan several times a year. On the other hand, Level 1 retailers might be required to have a qualified internal or external security assessor report on the company’s PCI compliance at regular intervals.

The first thing for a retailer is to know where the cardholder data resides.  Sounds easy enough, but you really need to sit down and assess, identify, and ultimately confirm where credit card information resides in the organization, both hard-copy and electronically.

Even in today’s digital age, you would be surprised at the number of retail stores that have cardholder data in hard-copy format, such as old invoices, purchase orders, receipts, and many other locations. Additionally, knowing where cardholder data resides ultimately means knowing how the organization captures credit card information.  It is critically important to develop a cardholder data flowchart showing the origin, pathway, and exit point(s) of credit card information. When done properly, you will be able to readily identify where such cardholder data resides, and that is the real intent of this exercise for retail stores seeking to become PCI DSS compliant.

Upon identifying the cardholder data, assessing risk is a critical element for any merchant seeking to enhance profits, minimize threats to the organization, while continuing to have a business that is sustainable for the long-term. After all, don’t you want to know about threats and challenges that can cause major issues and constraints with your business?

Policies and procedures are a big part of today’s regulatory compliance initiatives – and especially with PCI compliance for retail stores. Perhaps companies already have policies in place, but they must be written to the exact standards of the PCI framework, and must be kept current.  It is recommended that these be reviewed on an annual basis as technology and risks keep evolving.

One of the very best initiatives for businesses, especially retailers, is to put in place comprehensive security awareness training. The world we live in today is radically different than just ten years ago, with threats seemingly everywhere. So, now’s the time to get serious about protecting organizational assets, and this begins with high-quality, professionally developed security awareness training programs.  ERM Protect has a robust Security Awareness Training Program and can assist in this endeavor.

Other best practices and tools recommended to protect credit card data are network segmentation and tokenization. Network segmentation prevents payment card data from interacting with other IT systems, helping to keep the information isolated and less vulnerable. Tokenization, a practice that uses non-sensitive values to replace credit card data, also improves merchants’ security posture.

If possible, it is best to outsource your credit card processing to a validated third-party service provider.  This way, all credit card information stays off of your server. Also, there are e-commerce services that are PCI compliant, and they make all the necessary security updates, so you can concentrate on sales.  But make sure the service providers are PCI compliant.  Ask them for a current   Attestation of Compliance (AoC), a report attesting that they meet the PCI standards.

For many retailers, the obstacles to compliance can feel overwhelming — to the point that, until recently, fewer than half of organizations were in full compliance with PCI DSS.   This is where ERMProtect can help.  At ERMProtect, we have practical experience in application security, information systems security, network security, IT security auditing and information security risk assessment or risk management that will expedite the certification process.

Our Qualified Security Assessors  possess one or more industry-recognized professional certifications in Information Security (e.g., Certified Information System Security Professional (CISSP), Certified Information Security Manager (CISM)) and/or Security Auditing (e.g., Certified Information Systems Auditor (CISA)). These designations demonstrate a commitment to professional standards and continuing education. We can assist with PCI compliance assessments, PCI QSA audits, SAQ consulting, PCI penetration testing and PCI PFI forensic investigations of data breaches. 

With the right tools, careful planning and knowledge of the requirements, retailers can set themselves up to not only follow the rules, but to provide even better security around their customers’ payment data than is required.