Blog Post
A Guide to Retail PCI Compliance
Overview of the retail sector
There are over one thousand malls in the United States alone, which have been facing disruption from consumer shopping trends moving online. Despite this, the retail industry’s challenges with data security continues to become more complex with ever increasing data collection practices and the quest to better understand the ideal customer continues to evolve.
For retailers of all sizes, customer data collection techniques are only increasing, but, with this, so do the chances for significant security breaches resulting from data exploitation. These events lead to exposure of both payment card information and generic personal data of millions of customers worldwide. The end result is a potential loss of customer trust which whilst hard to measure, is not an asset any retailer wants to put at risk. One study estimates that 20% of customers say they would stop shopping at a retailer completely after just one compromise. With retail sales already declining year over year, now is a critical time to enhance customer trust and review your data security safeguards.
PCI Compliance Overview
The Payment Card Industry Data Security Standard (PCI DSS) is a global security requirement for any organization that processes, stores or transmits credit cardholder information. Released in 2006, the standard serves as a minimum set of requirements needed to protect customers’ payment data from being compromised which was the underlying primary cause of payment card fraud.
PCI DSS is continuously evolving and adapting to the current world as the PCI Standard Security Council (PCI SSC) deems appropriate in consultation with industry stakeholders including PCI QSAs (Qualified Security Assessors), payment processors, large merchants and other payment industry participants. American Express, Visa, MasterCard, and Discover are the four main payment card brands overseeing the council. Below, you can find the main requirements of PCI DSS.
PCI DSS Compliance Requirements
- Build and Maintain a Secure Network and Systems
- Protect Cardholder Data
- Maintain a Vulnerability Management Program
- Implement Strong Access Control Measures
- Regularly Monitor and Test Networks
- Maintain an Information Security Policy
Regulations surrounding PCI DSS impact every aspect of a business accepting card payments. It’s applicable to both the hardware and software that retailers use– systems as intricate as the computers managing payments all the way to the PIN pad you swipe your credit card through in addition to a variety of other technology and people processes including security policy, procedures, security controls and general data awareness.
Why PCI Compliance Matters for Retailers
Naturally, PCI DSS compliance precautions are signed to protect customer payment data, but it can also translate to added protection to an organization’s own internal data. Another key reason PCI compliance matters is because non-compliance can lead to considerable fines or withdrawal of merchant facilities, which are necessary for accepting card payments.
However, not all merchants are treated the same. There are actually four levels of PCI DSS compliance depending on the annual volume of card payments that a business or its group processes. While every retail business must adhere to PCI standards, the requirements and level of compliance needed will fall into one of the following levels:
- Level 1 – Applies to merchants and processors processing at least six million transactions annually. A level 1 PCI organization is required to undergo an onsite assessment annually which is to be conducted by a Qualified Security Assessor.
- Level 2 – These retailers process 1-6 million annual payment card transactions.
- Level 3 – The third tier processes between 20,000 and 1 million transactions annually.
- Level 4 – This lowest level is for businesses that process less than 20,000 annual payment card transactions.
How Retailers Can Meet PCI Compliance Requirements
One of the first actions retailers can take to meet PCI DSS compliance is conducting a gap analysis. This process involves a detailed discovery of all cardholder data hiding across the entire retailer network environment, which assesses the current state of risk and compliance as it relates to PCI DSS, and how data is being collected, handled and stored.
The second step is to develop organizational procedures and protocols. It is invaluable to establish a team who will be responsible for ensuring PCI DSS compliance for your organization. Meeting compliance standards is not a once-off project. The sooner your organization embraces that compliance is an ongoing organic process, it will become core to the organization’s culture and business practice.
Thirdly, don’t charge your employees as the sole accountant for maintaining an understanding of data being stored. Utilize technology and implement a cardholder data discovery scanning tool. Using an automated, no-assumption based approach to finding card data, achieving compliance has become more streamlined with higher accuracy. A purpose-built card data discovery tool can help your organization become more efficient in identifying all data stored in your systems and guide you in taking the right steps towards PCI DSS compliance. With PCI DSS 4.0 slated to begin by mid 2021, organizations will need to take steps towards compliance now.
Maintain PCI DSS Compliance with Ground Labs
Maintaining compliance begins with where your personal data resides – on workstations, servers, email, databases and cloud. Card Recon and Enterprise Recon PCI are card data discovery solutions custom-built to meet PCI DSS 4.0 compliance. Ground Labs PCI DSS 4.0 solutions can identify all PCI participating card brands, generate reports to confirm PCI compliance, and provide remediation capabilities to correct any issues that are detected.
If you’re ready to start your journey to PCI DSS compliance with Ground Labs, schedule a demo with us today.