PCI Compliance for Retail: Don’t Let a Credit Card Breach Ruin Your Holiday Season

Holiday shopping is getting underway. For retailers, this means a large number of credit card transactions, and a large amount of customer data being stored...and all of that is a big target for cyber criminals. There is also the risk of fraudulent transactions, especially online; and this year in particular, many businesses are selling online that were not before or doing a much higher percentage of their business online.

This makes security more important than ever.

What is PCI Compliance?

PCI stands for Payment Card Industry, and the standards are set by the PCI Security Standards Council. Founded by the major credit card providers, the council sets standards and educates merchants, vendors, and financial institutions on best practices and how to implement the standards.

PCI compliance, thus, refers to ensuring that systems meet those published standards, which are a basic requirement to accept credit cards. For some vendors, it's possible to offload PCI compliance onto a payment processor. Others, with a larger volume of sales, may find it easier to handle compliance themselves.

For those vendors, a data breach is a particular problem as the liability rests with them, not a third party processor. Vendors are always responsible for ensuring they are compliant, even if they've moved some of the security functions to the 'cloud' or payment processor

What are PCI Compliance Requirements?

PCI compliance requires meeting certain standards, which are different for different size companies. What retailers need to worry about is PCI Data Security Standards (PCI DSS). These standards require that all merchants:

  • Build and maintain a secure network, by installing and correctly configuring firewalls and avoiding default system passwords and security parameters.
  • Protect cardholder data with encryption both at rest and during transmission
  • Use anti-virus and other security programs, and regularly update them
  • Use secure systems and applications
  • Restrict access to cardholder data by need-to-know, including physical access
  • Strengthen access control by ensuring each individual has their own credentials
  • Track and monitor access to network resources
  • Regularly test security systems
  • Maintain a proper information security policy.

These are, of course, overall best practices and the standards themselves go into far more detail. However, retailers don't need to worry about standards for the design of payment terminals, or PA DSS, but they do need to ensure the solution they choose will address the standards, effectively. . The most important thing is to keep cardholder data as secure as possible.

How Does eCommerce Impact PCI Compliance?

eCommerce generally makes PCI compliance a little harder. The council has specific, and highly technical, best practices that involve everything from validation to encryption to testing. The ideal situation is for your systems not to even store the credit card data itself. Many customers enjoy the convenience of having a stored payment method, but this is not great from a security perspective and adds complexity that must be appropriately addressed.

You need to properly evaluate all the technology you use and make sure that all security controls are functioning as designed. For many smaller companies, it's easiest to outsource PCI compliance. Failing that, make sure to get expert assessments performed to ensure that you are fully compliant and any gaps are identified and a corrective action plan is created with timelines and budgets.

What Are the Consequences of Failing to Comply?

The PCI Security Standards Council does not levy penalties for failing to comply with standards, but individual companies you are dealing with might. The Payment Card Industry has established fines of up to $500,000 per incident for security breaches when merchants are not PCI compliant. In addition, it is required that all individuals whose information is believed to have been compromised must be notified in writing to be on alert for fraudulent charges. You could end up with consequences up to and including losing your ability to process credit cards.

More important, though, the standards are well-designed and have been updated over the years to minimize your risk of a data breach. Experiencing a data breach can ruin your holiday season. You may end up facing fines and lawsuits, and your reputation will be damaged. Two-thirds of holiday shoppers worry that their credit card information will be stolen. The same study shows that 78% said they would avoid shopping with a retailer that had been hit; and you have to notify customers of breaches, so keeping them quiet is not an option. This means that winning customers back after a breach can be a lot of work, and requires excellent customer service.

It's far easier to be compliant in the first place and reduce your risk of a breach as much as possible. The risk cannot be completely eliminated, but with a proper security plan and compliance program, it can be minimized.

How Does PCI Compliance Assessment Work?

Compliance starts with an assessment, and many companies do one annually. The Security Council provides various tools to help retailers assess compliance and set up their systems.

However, a more thorough assessment performed by an experienced professional is far better. Such an assessment might include vulnerability scanning and penetration testing to look for problems, as well as valuable insights from incidents and lessons learned. It also includes training to ensure that personnel are more aware of potential problems and how to mitigate them.

Assessment will give you a thorough report on where your security protocols, including your policies as well as your infrastructure, are falling short and give you a starting point to work towards improvement. Assessment should not be one and done but should be repeated at planned intervals to ensure that you are not slipping.

Assessment should also not be the only thing you rely on, but rather should be part of an ongoing process to continually improve your security options.

What is PCI Compliance Certification?

Some companies need to be externally certified for PCI compliance, depending on the number of transactions performed, while others must complete self attestation. When obtaining a certificate of compliance, you should not use certificates or documentation that doesn't come from the Security Standards Council.

The council offers a variety of official reporting templates and forms. These include Attestations of Compliance and Self-Assessment Questionnaires. These forms are used to demonstrate compliance and must be completed truthfully and in-line with your existing systems and controls. Attestations of Compliance are often provided to customers, but are of limited use to retailers. While gaining customer trust is important, most customers don't know what an AoC is or why it is important.

How Can GreyCastle Security Help?

GreyCastle Security provides PCI Assessments based on the most recent standard, which is PCI-DSS 3.2. Our assessments meet the requirements of the PCI Council, help you find compliance gaps, and help you develop a risk mitigation plan. We can't prevent all risk of data breaches (and anyone who claims they can should not be trusted). But we do this all the time and we can ensure that your eCommerce sites and point of purchase machines are properly secured and compliant.

PCI compliance is vital for all retailers and is even more important in the current environment, where customers are eschewing cash and far more likely to order goods online. To find out how to get a PCI assessment that can provide the insights needed to effectively manage risk, prioritize spend, and help you stay compliant, contact GreyCastle Security today.