The Retail Road to PCI Compliance
Small businesses and retailers can be especially vulnerable to data breaches but are often overwhelmed by the PCI-compliance process which can appear more complex than it actually is. Contrary to what many believe, the PCI standard isn’t simply a recommended ‘best practice’ approach, but a requirement that must be met by any business handling, storing or transmitting payment credit card details.
Retail credit card breaches happen with disturbing regularity, but not all of them make headline news. Preparing ahead of time makes it easier to avoid disaster when and if it does strike. A leak exposing transactional data can have significant, long term negative impact on customer loyalty, jeopardising a retailer’s integrity and their consumer privacy.
The PCI DSS standard (PCI DSSS) which is supported by the major credit card companies is a way of measuring your level of security fitness (PCIDSS) and represents a set of principles that ensure a customer’s sensitive payment information is handled and stored securely. The standard is relevant to every retailer that takes card payments and includes measures such as implementing a firewall, not storing customers’ card details on paper or computers and sending only encrypted data over open networks. This ensures cardholders’ details are kept out of the hands of data thieves and potential loss or leakage.
Although PCIDSS has been around since 2006, many retailers are still not compliant because of the perceived expense and time it entails. Each card brand has a different system, but merchants need to demonstrate their compliance by Self Assessment methods or by an independent Qualified Security Assessor’s (QSA) verification. Card-services providers are happy to help with administration as a valuable first step and can provide support by taking merchants through the set-up process to help minimise the workload and costs involved.
Alongside penalties imposed by card brands for non-compliance, the consequences of a data breach are serious and can include legal action, damage to reputation and ultimately loss of business through diminished customer confidence. So can retailers afford not to comply? Most retailers invest considerably in stock control procedures, recognising the essential role it plays in protecting stock assets and improving operating efficiencies. So, should the protection of valuable personal and confidential credit card data be treated any differently?
The road to PCI compliance may be challenging, but retailers need to start taking ‘stock’ of their security measures by becoming compliant and realising the essential role that this investment plays in safeguarding consumer data and delivering even greater long term operating and service benefits to customers.
Before any business can start to protect sensitive card holder data (CHD), the first step is to find and document where CHD is stored within a system. PixAlert’s PCI Automated SCOPE Assessment solution provides an automated mechanism to find where CHD is stored on any part of the network. It helps businesses understand the scale of their credit card vulnerabilities, enabling them to review, remediate and continuously monitor their environment while creating a successful path to achieving and maintaining compliance and proactively protecting credit card data.
Published date: 16th October 2012
Author: Vivian Cullen, Head Of International Business Development, PixAlert