Compliance with the Payment Card Industry (PCI) Security Standards Council is an immediate and costly focus for many industries, and the retail market is no different. While retailers are trying to increase sales, lower prices and keep customer satisfaction high in the wake of a recession, meeting PCI standards has also been a key business driver.
Securing customer data is a main focus for PCI standards. The hardware technology installed, how the customer data from each piece of hardware is processed and how the retailer handles data determines industry compliance. For example, at the point-of-sale (POS), retailers have access to a large amount of customer data through payment terminals. According to the PCI council, a retailer cannot hold the information for an extended period of time, so procedures and processes for handling customer information are constantly changing to keep up with industry standards.
Many retailers used the last few years to make sure all installed payment terminals were PCI-compliant by the triple des (TDES) mandate, a high level of security for payment terminal encryption. Some retailers were able to keep existing hardware in place and focus on an encryption upgrade. However, since hardware must also meet PCI standards, some retailers also had to replace legacy payment terminals. Any retailer with a security breech after July 1, 2010, without TDES on the payment terminal, was responsible for all associated costs and fines.
Advertisement
In 2011, retailers are tasked with understanding the PCI council’s version 2.0 of the Payment Card Industry Data Security Standard (PCI DSS) and the Payment Application Data Security Standard (PA-DSS). Version 2.0 was published in October 2010 and effective Jan. 1, 2011. Retailers have until the end of 2011 to understand and implement the new requirements, and provide feedback to the council.
Version 2.0 does not introduce any new major requirements, and the majority of changes are modifications to existing language. Even so, version 2.0 is designed to provide greater clarity and improved understanding of the requirements to make adoption easier.
Key revisions reinforce the need to thoroughly understand where cardholder data resides before conducting a PCI DSS assessment. They encourage organizations to adopt a risk-based approach when identifying and addressing security vulnerabilities and let businesses consider specific circumstances and tolerance to risk when assessing vulnerabilities. The revised standard incorporates previous PA-DSS guidelines, in order to simplify the compliance process for small retailers. Finally, updates promote more effective log management in securing cardholder data by requiring that payment applications facilitate centralized logging.
Many retailers continue to struggle with meeting compliance deadlines. The new version illustrates the council’s goal to make PCI compliance a simpler and more easily understood process. By the end of 2011, version 2.0 will become the only legal guideline for PCI compliance, so retailers are encouraged to embrace the changes now.
In addition to assessing how these changes affect the store environment, retailers need to look at corporate campuses, distribution centers and warehouses. Any network connection point can also house a security breech. Technology solution providers and partners need to advise clients of these sites when planning PCI updates, and retailers need to keep them in mind when future-proofing sites.
Since PCI standards change so often, retailers have little time for planning and deployment once they find out they are not compliant with new standards. If a partner or solution provider can stay up-to-date on the latest technology standards, it provides a huge return for customers. An investment in the latest technology helps to make sure retailers are headed in the right direction and don’t get stalled with pricey and time-consuming compliancy issues.
Information on the updated standards and changes was taken from the PCI Council’s website as well as the PCI Council’s news release on version 2.0. To access the new Data Security Standards, visit the PCI Document Library.
Brad Fick has been with Direct Source since 1993 and currently leads business and sales operations for the company. He was previously Vice President of Sales and Marketing. With multiple years of operational management, marketing, product management and sales experience, Fick has held leadership positions with many companies in the retail and technology markets including: Donaldson’s Department Store, NCR Corporation and DataServ.
