Published July 17, 2018 • By Karen Walsh

To grow your retail business, you need a product as well as a way to make paying for the product easier for your customers. As fewer people use cash and more people shop online, the retail industry needs to focus on payment processing solutions that make their jobs easier. However, if you’re a merchant looking to invest in a payment process system, then as you need to become informed about Payment Card Industry Data Security Standard (PCI DSS) compliance.

Retail Store PCI Compliance

What is the Payment Card Industry Data Security Standard (PCI DSS)?

As identity theft threats rose in the early 2000’s, the five major payment card companies, American Express, Discover Financial Services, JCB International, MasterCard, and Visa, Inc. banded together to create the Payment Card Industry Security Standards Council (PCI SSC). The organization wanted to create a series of standards for how to process payments – to protect their customers as well as themselves. 

PCI SSC worked together to establish “best practices” for protecting information which became standardized as PCI DSS.

What Are The Penalties for NonCompliance?

Since PCI DSS is considered a “standard” rather than a regulation, many merchants incorrectly assume compliance is optional. While noncompliance may not lead to jail time, it does come with consequences that can lead to business failure.

Card brands and acquiring banks can, at their discretion, fine noncompliant merchants anywhere from $5,000 to $100,000 per month for a violation. For a small retailer, these fines can end business operations. While large organizations can handle the fees, their bottom lines still suffer.

Who Needs to Be PCI DSS Compliant?

Regardless of your size or industry, any company that accepts, transmits, or stores cardholder data must maintain PCI compliance.

Is PCI Compliance The Same For All Merchants?

The good thing about PCI DSS is that it takes company size into consideration. Using Visa transaction volume over a 12-month period, PCI DSS is split into four different levels to help ease some of the burden on smaller companies.

Visa defines the level as:

1: Any merchant processing over six million Visa transactions of any type per year. Visa also notes that if it think a merchant poses a large risk, it may decide to make that company a Level 1.

2: Any merchant processing between 1m and 6M Visa transactions of any type per year.

3: Any merchant processing 20,000 to 1M Visa e-commerce transactions per year.

4. Any merchant processing less than 20,000 Visa e-commerce transactions per year or any merchant processing up to 1M Visa transactions per year of any type.

For a lot of retailers, the important thing to keep in mind is going to be that online retailers may be in different tiers from brick and mortar retailers based on the definitions.

What Is Cardholder Data?

Cardholder data (CHD) is defined as any personally identifiable information (PII) that links an individual to a credit or debit card. This information includes the primary account number (PAN) in combination with either the cardholder name, expiration date, or service code.

How Do You Define A Cardholder Data Environment (CDE)?

The most difficult part of PCI DSS compliance is scoping your CDE. PCI DSS defines CDE as any system or network that processes, stores, and/or transmits cardholder data or sensitive payment authentication data. Even more broadly, PCI SSC further defines CDE by including any component that connects to or supports this network.

In other words, your CDE includes any network such as a wireless network, that data travels through. However, any devices that connect to the network are included. These devices can include employee or corporate laptops, smartphones, and tablets or more complex hardware such as servers and routers.

What Are Basic Steps to PCI Compliance?

Step 1: Catalog your data assets

Before you can establish policies and procedures, you need to scope your PCI environment. This means determining what networks, including cellular networks, wireless networks, routers, and terminal and point-of-service systems.

Step 2: Diagram your assets

Identification is the first step Once you identify what touches your information, you need to diagram how the data flows across your environment. Doing this incorporates reviewing network segmentation necessary to ensure information does not travel from a protected network to an unprotected one.

Step 3: Establish policies, procedures, and controls

Although it’s rare to say that a standard is “nice,” PCI DSS compliance is nice in that it defines the controls necessary. It defines not only the need for firewalls and encryption, but it also tells you exactly what encryption methods are acceptable. For example, the standard defines specific cryptographic and encryption methods that fulfill compliance obligation. 

You need to make sure that your internal policies clearly discuss the process for changing default passwords and configurations on vendor-supplied software and hardware. PCI DSS specifically requires merchants to personalize their services since default passwords and configurations act as an easy pathway for hackers to use to access your system.

Finally, as of June 30, 2018, card-present POS POI terminal connections are no longer allowed to use SSL/early TLS encryption.

Step 4: Continuously Monitor Your CDE Protections

Continuous monitoring of your CDE incorporates not only the review of your controls but also engaging in audits that allow you to prove your controls’ effectiveness. In order to create an effective audit trail, you need to be able to engage in internal and external vulnerability monitoring proving that external and internal threats cannot denigrate the integrity of your data.

This monitoring should also include your vendors. Whether

How ZenGRC can ease the burden of PCI DSS compliance

With ZenGRC, organizations can rapidly deploy a governance system that provides easy-to-read insights. For example, our PCI DSS compliance dashboard allows organizations to review control health at a glance while also listing critical issues facing the organization.

ZenGRC’s ongoing monitoring abilities provide updated, in-the-moment insights enabling organizations to continually respond to changing threats and vulnerabilities in a continuously evolving threat environment. Moreover, organizations can store their penetration test and audit findings on the ZenGRC platform to help enable better cross-enterprise outcomes.

To read about how scoping your PCI DSS compliance can help you better manage your compliance needs, download our ebook, PCI-DSS: Steps to Successful Scoping.