Click here
Click here
Retail Technology, Retail technology News
Click here

Eight steps for successful PCI compliance

Tuesday December 6 2011

The exponential growth of data within retail comes not only with greater challenges but also increased responsibility, argues Rodolphe Simonetti, IT communications and security expert

The exponential growth of data within retail comes not only with greater challenges but also increased responsibility, argues Rodolphe Simonetti, IT communications and security expert

 

Many retailers view data as power – a tool to help understand their customers and, ultimately, improve sales. However, Rodolphe Simonetti from Verizon Business, said the more customer data they store, the more they are exposed to potential data breaches and vulnerabilities.

 

Payment data compliance challenges

 

“Our own research found that most businesses that accept credit and/or debit cards struggle to achieve and maintain compliance with the Payment Card Industry Data Security Standards (PCI DSS),” he said. “In fact, the report found that only 21% of organisations were fully compliant during the initial audit. As a result, they are at greater risk of losing confidential customer information and falling victim to credit card fraud.”

 

Retailers also face pressure from their partners and customers to demonstrate continued compliance. “Most importantly, non-compliant organisations are more likely to be breached and suffer from identity theft and fraud issues. As such, it’s vital that retailers take measures to ensure they achieve a high level of success throughout the PCI compliance assessment and beyond,” he added.

 

Taking simple security steps

 

Simonetti said some simple steps are:

 

1. Start early! For the best chance of success, retailers should begin the compliance journey as soon as they decide to accept payment cards or explore a new acceptance channel.

 

They then need to adopt a prioritised approach to PCI DSS, which will vary from one retailer to another. For example, a larger organisation may place higher priority on requirements that impact their point-of-sale (PoS) network; a smaller online-only retailer might put more emphasis on e-commerce security.

 

2. Limit the scope. Retailers should segregate the cardholder data environment by implementing firewalls between different network subnets. The twelve requirements of PCI DSS apply to all system components, which are defined as any network component, server, or application that is included in or connected to the cardholder data environment. If there is no adequate segregation between the subnets, then the organisation’s entire network can become in-scope for PCI DSS assessment.

 

3. If you don’t need it don’t store it! It’s vital to evaluate what data is needed, and understand how it flows throughout the business. It is also important to know what qualifies as cardholder data and consequently what needs to be protected and what is prohibited for storage. For example, ‘sensitive authentication data’ is not permitted to be stored post authorisation, even if encrypted or hashed. However, some retailers mistakenly believe that storing this data post authorisation is required for certain business purposes (e.g. for posting recurring transactions on behalf of the customer), avoiding payment conflicts and chargeback situations. In reality, there is no reason to store such data post authorisation, as none of the scenarios listed above require resubmission of sensitive authentication data.

 

4. Remember your original security objectives. A compliance ‘checklist’ or an off-the-shelf tool can provide a retailer with a quick and verifiable methodology to achieve its security objective, but such a checklist/tool may give a rosy picture, while things might not be as good as they look. So while a checklist is always useful, it’s much more important to also apply judgment to determine whether the efforts invested really match the ultimate objective of the requirement.

 

5. Involve all stakeholders. PCI DSS compliance is not only an IT project – it touches all parts of the business and involvement from all stakeholders should be secured upfront. The project team should include representatives from all functional groups – information security, business operations, administration, human resources (HR) and, IT. The active engagement of these functions has a crucial role to play in driving and maintaining PCI compliance.

 

6. Don’t be complacent. PCI DSS is devised, maintained, and enforced specifically to protect payment card data, and requires special attention and focus. The level of detail that goes into the PCI DSS can be overwhelming. The standard leaves little scope for flexibility and may require changes to business practices or technology. Organisations should therefore always pay specific attention to the detail required when embarking on a PCI DSS project.

 

7. Vendor compliance is also key. In the journey towards PCI DSS compliance, retailers sometimes forget about the respective compliance of their vendors/service providers. PCI DSS requires all controls to be met to achieve compliant status. It is therefore crucial that the compliance status of vendors/service providers is taken into consideration if they are involved with the data handling process. Even when work involving cardholder data is transferred to these organisations, accountability still lies with the retailer.

 

8. Document everything! Retailers looking to achieve PCI DSS compliance should remember one final mantra: document what you do, and do what you document. PCI DSS requirements strongly emphasise evidence of documentation and of implementation effectiveness. These two fundamental requirements are only achievable if a business documents all implemented controls and maintains implementation of controls as documented throughout the entire process.

 

Simonetti concluded: “The bar is constantly being raised and, only last year, the PCI Security Standards Council announced PCI DSS version 2.0. More are sure to follow and will likely require a more stringent executive summary and validation of methodology for scope definition. The reality is that retailers, many of which are having severe issues complying with the existing standards, need to quickly get ready for this new version.”