The Payment Card Industry Data Security Standard, or PCI DSS, was established to reduce the risk of breaches and all merchants that accept credit cards are required to comply. But in reality many retailers are not compliant due to lack of time and resources and misconceptions about the requirements for compliance. The lack of adequate security has made retailers a primary target for hackers, with as many as 1 in 6 small businesses suffering from a breach in the next 24 months1. Restaurants are particularly vulnerable; according to Visa, in 2011 restaurants accounted for 73% of all breach incidents in the U.S.
We often perform a quick initial assessment of companies by asking three simple questions:
- Have all employees completed a security awareness training program upon hire and annually thereafter?
- Have all employees read and signed a formal security policy?
More often than not, the answer to at least one of these is “no,” meaning the retailer is not compliant.
PCI Compliance is Hard
Why is PCI compliance so hard for retailers to achieve? To begin with, many are unaware that they have an issue. We often hear statements such as:
I don’t need to be compliant because…
“…I don’t process many credit cards.”
“…I don’t store credit card information.”
“…I’m not a major brand retailer.”
OR I’m compliant because…
“…My POS systems are compliant”
“…I have firewalls in place”
“…I’ve passed an ASV scan”
“…I’ve implemented the basic requirements”
The reality is that all merchants that accept credit cards are fully responsible for their own compliance, and there is no such thing as “partially compliant.” You’re either compliant, or you’re not.
Misconceptions aside, achieving compliance is not easy. PCI DSS is extensive and complex, as the framework includes 12 requirements organized into six core categories. This includes requirements to build and maintain a secure network, protect cardholder data, maintain a vulnerability management program, and implement strong access control measures.
To demonstrate compliance, retailers are evaluated against up to 280+ audit procedures. The exact number is dependent on the nature of their environment – for example, whether the retailer stores or simply transmits credit card data.
Achieving compliance is also not a one-time event. It requires ongoing maintenance including regular scans and self-assessments, and many retailers and franchisees don’t dedicate the necessary time, budget or resources.
If PCI compliance is so difficult to achieve, many may ask — why not just accept the risk of data breach, and address the problem reactively?
Failing to comply with PCI is taking a risk analogous to driving a car without insurance. As already noted, the likelihood of breach is high. Once a company suffers a breach, the cost and time required for remediation can significantly impact a company’s ability to operate, and many retailers — particularly those that are small to midsized — may find themselves out of business.
For non-compliant retailers, costs incurred as a result of a data breach can include:
- $20,000 for an internal forensic audit
- $50 per breached card for reissuance
- Up to $500,000 in regulatory compliance violation fines
- Payment of transactions held back from merchant processor
- Damage to brand/lost revenue
- Loss of credit privileges/credit impact
In addition, following the breach the retailer may be re-categorized as a Level 1 merchant, which means they are subject to the same scrutiny and compliance requirements as merchants that process more than 6 million transactions per year.
While compliance with PCI DSS doesn’t guarantee that a retailer won’t be a victim, it significantly reduces the associated cost and risk. Hackers pursuing targets of opportunity will look to easier targets, merchant level is preserved, and remediation is faster and far less costly for those that can show proof of required assessments and scans.
4 Key Steps to PCI Compliance
What follows are four steps retailers should take towards achieving PCI compliance:
1) Establish Financial Protection
Breach protection can help retailers to cover direct costs in the event of a breach for each store location, including the costs associated with forensic audit, fees, fines and credit card replacement.
2) Validate PCI Compliance
Merchants that process fewer than 6 million transactions per year have two key requirements for validating compliance: the annual Self-Assessment Questionnaire (SAQ), and quarterly network scans by an Authorized Scan Vendor (ASV). The SAQ documents PCI compliance status against up to 280+ control objectives through one of six questionnaires, which retailers select from based on their environment. The ASV scan is a network vulnerability scan of all 65,535 TCP and UDP ports of each Internet-facing host in scope and the resulting reports are to be filed with the appropriate bank or processor.
3) Address Gaps
Merchants must address all high severity vulnerabilities identified during assessments and scans. Common issues include outdated firewalls, insecure remote access, weak security configurations, operating system flaws, lack of staff training, and flawed or non-existent security policies.
4) Maintain Compliance
As stated earlier, PCI compliance is an ongoing process, not a one-time event. Basic procedures should include conducting on-going PCI training for employees including cashiers and IT staff, documenting and enforcing security policies, and conducting regular assessments and network scans for all locations and remediating gaps.
Bringing PCI Compliance Within Reach
While the process may seem complex and costly, achieving PCI compliance is possible – even for retailers and franchisees with limited expertise and resources. In addition to the wealth of information available online, there are also affordable third-party services and tools to help guide retailers through the process. Web-based tools make it easy and cost-effective to centrally manage the SAQ, quarterly ASV scans, employee training, and security policies for all store locations. Breach protection is available for as little as $1 per day per location to cover costs in the event of a breach. To close gaps that are identified, IT infrastructure vendors now offer a range of options that support compliance without driving up costs, such as cloud-based firewalls or WiFi routers with integrated firewalls.
For any merchant that accepts credit cards, PCI compliance isn’t just a requirement, it’s necessary for business stability. Fortunately, businesses don’t have to tackle this on their own with limited time, budget, and resources. Third-party services and partners can help to bring PCI compliance within reach.
- PCI Standards Council Annual Meeting 2011, QSA/ASV General Session, 9/20/11 – IC3 Executive
- Visa Data Security & Authentication Symposium, June 6, 2012
Greg Griffiths is the Vice President of Retail Solutions for EarthLink, where he leads the team of technical experts responsible for designing network solutions for large enterprise customers. Prior to joining EarthLink, Greg was Vice President of Marketing for New Edge Networks, a leader in IP-based WAN network services that was acquired by EarthLink in 2006. At New Edge, Greg led the company’s strategy to focus on the retail industry, and held overall responsibility for all aspects of marketing including branding, communications, demand generation, and channel strategy. Before joining New Edge Networks, Griffiths held operations and executive positions with Eschelon Telecom of Oregon, Frontier Communications, and Enhanced Telemanagement.