What the retail industry should know about PCI compliance
Very few people use cash for purchases these days and in order to grow a retail business, it is advantageous to make it as easy as possible for customers to buy the products, which usually means having payment processing that accepts credit cards.
For government offices that also accept payments for products or services the same applies, but in both cases, there are regulations that need to be adhered to. Any payment processing system that accepts cards needs to comply with the Payment Card Industry Data Security Standard (PCI DSS). This makes sure that any personal data that is being stored with respect to credit cards and customer information is kept secure at all times.
PCI Compliance in a Nutshell
What is PCI DSS?
In order to protect against identity theft, these security standards were developed by a council comprised of major payment card companies. The council created the PCI standards so that companies had a framework to follow to keep any cardholder information in a secure environment and to find and close up any vulnerabilities.
Is Compliance Mandatory?
PCI DSS may not be classed as a regulation, but that doesn’t mean it can be ignored. Because the card companies and banks are under threat if any shoddy security measures result in cybercrime and stolen sensitive information, retail companies or government departments that do not comply can be fined up to $100,000 a month. It may seem complicated to maintain compliance, but when the alternative is a huge fine that could affect both reputation and the bottom line anyone accepting card payments would be foolish to ignore them.
How Processing Size Affects PCI Compliance
Any company or government department that accepts cardholder data needs to comply with PCI DSS. This is the case even if no information is stored. Your processing size, however, does regulate exactly how you have to comply and relates to transaction volume over 12 months. There are four different levels with Level 1 being filled by retailers that pose the largest risk. Although the levels are slightly different depending on the specific card brand, they are very similar and if you work at a certain level with one type of card then you remain at that level for all the card brands you accept.
Allowing for minor differences, these are the broad qualifications for each level:
- Level 1: Any merchant processing over 6 million card transactions a year.
- Level 2: Any merchant processing 1 to 6 million transactions a year.
- Level 3: Any merchant processing 20,000 to 1 million transactions a year.
- Level 4: Any merchant processing fewer than 20,000 transactions a year.
Three Steps to PCI Compliance
Scope Your Environment
The first stage is to define your cardholder data environment, which is anywhere in your system that holds any personally identifiable information. This would be a cardholder name, account number, expiration date or service code. The PCI DSS standards relate to any part of your system or network that stores or transmits any of the above data, or any component that connects to said network. These components could take the form of servers or smaller hardware such as laptops, and the overall system or network should encompass any wireless or cellular networks, routers, and point-of-service systems.
Once you have identified the environment, you need to protect the information that flows through it, and creating a workflow can narrow down where the data is used. Segmentation can also help to lessen your environment scope to make it more manageable.
Establish Policies and Controls
Helpfully, PCI DSS compliance has clear definitions for all its standards, including suggestions for exactly which encryption methods are acceptable. Your policies and controls should clarify all processes and procedures that are needed to keep the cardholder data safe, including password protection and third-party vendor software and hardware configurations.
Just complying once is not sufficient, you need continuous monitoring of your cardholder data environment and any third-party vendors in order to make sure that everything is secure. As part of an audit, your environment and its controls will be reviewed and checked to ensure they work as expected. Monitoring the potential vulnerabilities will show that you are protecting all sensitive information from hacking threats, and making sure the integrity of your data is safe.
Although these changes can be made manually, it is possible to use governance, risk and control software to help you to reach compliance using automated tasks. They can keep all your controls in a centralized area which makes for easier audits and can help suggest vulnerabilities and critical issues which can then be corrected. When you add ongoing monitoring to this so that you are alerted to threats as early as possible, it can make PCI DSS compliance a lot safer and easier.
Ken Lynch is an enterprise software startup veteran, who has always been fascinated about what drives workers to work and how to make work more engaging. Ken founded Reciprocity to pursue just that. He has propelled Reciprocity’s success with this mission-based goal of engaging employees with the governance, risk, and compliance goals of their company in order to create more socially minded corporate citizens. Ken earned his BS in Computer Science and Electrical Engineering from MIT. Learn more at ReciprocityLabs.com.