PCI DSS: A Guide to Compliance for Retailers

As e-commerce grows, retailers continue to be a prime target for cyber attacks due to the higher volumes of personally identifiable information (PII) and payment card information (PCI) being handled. This data can be sold, used and exploited by malicious actors for potential financial or personal gain. With retail sales fluctuating year-over-year, customer trust and brand loyalty is a business imperative that's highly dependent on the proper data security safeguards.

PCI Compliance Overview

The Payment Card Industry Data Security Standard (PCI DSS) is a global security requirement for any organization that processes, stores or transmits credit cardholder information. However, compliance to the global security requirements has declined for the third year in a row, with only 30 percent of businesses achieving compliance in 2020, according to Verizon’s Payment Security Report.

These requirements can impact every aspect of a business that directly or indirectly interacts with card payments. These include back-office processes such as accounting, reconciliation, refund and chargeback handling procedure — both the point-of-sale hardware and software in use — all the way to the PIN pad you insert your credit card into. Under the current PCI DSS, any organization that handles PCI must:

• build and maintain a secure network and systems;
• protect cardholder data;
• maintain a vulnerability management program;
• implement strong access control measures;
• regularly monitor and test networks; and
• maintain an information security policy.

The 4 Tiers to PCI DSS

There are four levels of PCI DSS compliance depending on the annual volume of card payment transactions that a business or its group processes. While every retail business must adhere to PCI standards, the amount of validation and level of compliance needed will fall into one of the following levels:

• Level 1: Applies to merchants and processors processing at least 6 million transactions annually. A level 1 PCI organization is required to undergo an on-site assessment annually, which is to be conducted by a Qualified Security Assessor.
• Level 2: Retailers processing 1 million to 6 million annual payment card transactions.
• Level 3: Retailers processing between 20,000 and 1 million transactions annually.
• Level 4: This lowest level is for businesses that process less than 20,000 annual payment card transactions.

How Retailers Can Meet PCI Compliance Requirements

• Conduct a gap analysis. Aside from remaining up-to-date on the PCI DSS compliance landscape, an immediate action any retailer can take is conducting a gap analysis. This process involves a detailed discovery of all cardholder data hiding across the entire network. It assesses the current state of risk and compliance as it relates to PCI DSS, as well as records how data is being collected, handled and stored.
• Train employees. Unless an organization is sharing customer data with a third party, its employees are its first line of defense and the gatekeepers of company data. Training employees across each team on proper handling and storage practices is a great first step to building a security strategy. Hiring someone to spearhead training initiatives, like a chief data officer, is also something organizations of any industry should consider.
• Utilize technology. Although employee engagement is a pivotal start to compliance, don’t charge employees as the sole accountant for maintaining and understanding compliance. Take advantage of available technology to automate monitoring and compliance, including regular card data discovery scanning. A purpose-built PCI discovery tool can help an organization become more efficient in identifying all data stored in its systems and guide it in taking the right steps towards PCI DSS compliance.
• Be prepared in the case of a data breach. With the growth of cybercrime, data breaches aren't unique. An organization should have a crisis plan intact regarding how to mitigate future risk and communicate the incident to stakeholders. It's generally a good practice to be transparent with employees and customers to salvage their trust. Visa offers a clear set of procedures to follow in the event of a data breach being suspected or confirmed.

Final Thoughts

With a new PCI DSS 4.0 update expected to arrive in mid to late 2021, it’s clear that meeting compliance standards isn't a once-off project. It’s an evolving ecosystem of regulations that adapt to new forms of data as they're created and shared. The sooner organizations embrace compliance requirements and take steps to protect consumer data, the sooner it will become core to the organization's culture and business practice.

Stephen Cavey is the co-founder and chief evangelist at Ground Labs, a company that enables organizations to discover and remediate all of their data across multiple types and locations — on servers, on desktops and in the cloud.