How PCI DSS v4.0 Will Affect Retailers
Protecting merchandise and securing the brick-and-mortar structure of an outlet have always been the overriding security concerns for retailers of all stripes. Not until recently have merchandisers had to also consider and begin looking after the welfare of their customers’ sensitive data and information. It represents yet another responsibility — and investment — in an industry that isn’t exactly known for its surplus resources and comfortable margins.
Which is why the recent release of the Payment Card Industry Data Security Standard (PCI DSS) v4.0 has been such a cause for concern among retailers in recent months. The new compliance parameters, outlined by the PCI Security Standards Council, are designed to regulate security standards and guidelines that protect the processing, storage and transmission of customer credit and debit card information. Today, a snatch-and-grab from the floor rack of a 10,000-foot space may be the least of a business’ worries. Now it’s the potential cyber theft and fraud of 10,000 or even 10 million online consumers.
Given PCI DSS’ significance in safeguarding card-carrying customers, retailers should welcome the new standards. That doesn’t mean, however, that they fully understand them. What do retailers need to know about the new payment card standards, and how will they affect the industry in the days ahead?
What Are the Changes Retailers Need to Know?
The full compliance details of PCI DSS v4.0 are more complex than we can outline here, but retailers should immediately familiarize themselves with a few major changes and the broad strokes of the new payment card security standards. Here’s a quick primer on its most significant aspects:
- Multifactor authentication (MFA) requirement: Previously, MFA was required only for administrative access to the cardholder data environment. The new standards require MFA implementation for anyone with access to that environment. It’s a big change for most retail organizations. Many data breaches are the result of phishing scams and the compromising of password information, so adding multifactor authentication across the board — although an inconvenience in some cases — helps button up what had been one of the biggest weaknesses in retail payment-card security infrastructure.
- Firewall for public-facing web applications: All public-facing e-commerce homepages and shopping interfaces now require a web application firewall, which are designed to filter out scripts and skimming scams, by which a hacker can inject code and potentially track, read and save any data added to web forms by consumers. Another layer of protection.
- Information security awareness: Arguably the most significant change in the new standards, information security awareness will be a challenge for many retailers — though a worthy undertaking. A large number of requirements under the new PCI DSS focus on the development of new policies that create a culture of heightened organizational security, a strategy that's arguably more critical to preventing cyberattacks than any tools or tech stack.
A Customized Retail Cybersecurity Approach?
A notable inclusion in PCI DSS v4.0 is the options for a customized approach rather than a prescribed, one-size-fits-all requirement structure. Under previous compliance standards, certain requirements didn’t fit every business. Accounting for these differences, the new standards allow for a customized approach. However, more flexible doesn't necessarily mean easier. A custom strategy will require more documentation, a heavier gap analysis, and more rigorous risk assessments. It would also require meeting with a qualified security assessor to ensure compliance, all of which makes for a better fit with larger retailers (which often have dedicated security teams).
Whatever the payment card security strategy, compliance needs and organizational standards may be for a given company, the No. 1 concern for retailers figures to be cybersecurity infrastructure planning. A third-party manager SOC can help organizations in their programming and deployment of everything from risk assessment to penetration testing to resource allocation to policy enactment. PCI DSS v4.0 doesn’t have to be a mystifying puzzle to solve or an impossible challenge to overcome; rather, it's a guideline that, with the help of an expert partner, ensures the protection of your customers’ sensitive data and your organization’s security and reputation.
Ven Auvaa is director of information security at accredited cybersecurity firm ArmorPoint.
Ven Auvaa, director of information security at accredited cybersecurity firm ArmorPoint, has a decade of experience helping organizations across industries, including retail, maintain best-in-class cybersecurity and information security practices.
