What Retail Companies Should Know About PCI DSS

Contributed by Ken Lynch

You may have the best product, but a complicated payment method scares customers away. With the current shift from the cash systems to online shopping, the retail companies should learn about payment processing solutions for simplified trading. Are you retailer ready to embrace the payment processing system? Learn about Payment Card Industry Data Security Standard (PCI DSS) compliance.

Retail Store PCI Compliance

What is the Payment Card Industry Data Security Standard (PCI DSS)?

Due to increased cases of identity theft in the early 2000s, the top five payment card companies JCB International, MasterCard, American Express, Discover Financial Services, and Visa Inc merged to establish the Payment Card Industry Security Standards Council (PCI SSC).

PCI SSC was to govern payment processing while protecting their clients and businesses. Consequently, the organization established PCI DSS to safeguard information.

What Are The Penalties for Non-Compliance?

Consider complying with the PCI DSS. Though non-compliance will not land you in jail, the decision will adversely affect your business.

To enforce compliance, acquiring banks and card brands are imposing non-compliance fines on retailers. The penalties range from $5,000- $100,000 monthly for each violation. For your startup, such hefty fines push you out of business while large firms also feel the pinch.

Who Needs to Be PCI DSS Compliant?

Does your business accept, store, or transmit, cardholder data? Then you must be PCI DSS compliant.

Is PCI Compliance The Same For All Merchants?

Thankfully, PCI DSS considers your business size based on your annual visa transactions volume. Hence, you belong in one of the following four PCI DSS levels;

1. A merchant who processes over six million Visa transactions annually or one with high-risk levels
2. Any retailer whose annual visa processing transactions range between 1M to 6M irrespective of the type of visa
3. Any merchant who processes a total of 20,000 to 1M e-commerce visa transactions annually
4. A merchant who processes below 20,000 visa e-commerce transactions yearly or any merchant with 1M any visa transactions annually.

Your company falls in different tiers such as brick and mortar retailers based on the definition.

How Do You Define Cardholder Data (CHD)?

CHD is any personally identifiable information (PII) associating you to your debit or credit card. Such information comprises of your primary account number (PAN) together with your cardholder name, service code, or expiration date.

What is A Cardholder Data Environment (CDE)?

Scoping your CDE is the trickiest part of PCI DSS compliance. According to PCI DSS, CDE is a network or system which stores, processes or transmits sensitive payment authentication or cardholder data.  Generally, CDE is inclusive of all components linking to a specific network.

Additionally, your CDE comprises of any networks like the wireless one through which data travels. The definition also accounts for network-connecting devices. Such devices are; the workers’ or corporate Smartphone, tablets, laptops, and sophisticated hardware like routers and servers.

What Are Basic Steps to PCI Compliance?

Step 1: Catalog your data assets

Start PCI compliance by scoping your PCI environment then develop policies and procedures. Ensure you identify all your networks including wireless, cellular, terminal, routers, and point-of-service systems

Step 2: Diagram your assets

After identifying what touches your data, diagram the information flow through your environment. While diagramming, review network segmentation to prevent transmission of information from a protected network to an unprotected one.

Step 3: Establish policies, procedures, and controls

PCI DSS compliance states the necessary controls such as firewalls and encryption while defining the specific, acceptable, encryption methods.

Your internal policies should, therefore, discuss the procedure for modifying configurations and passwords on vendor-supplied hardware and software. PCI DSS requires you to personalize their services since the defaults are easy entry points for cybercriminals into your system.

June 30, 2018, marked an end to card-present POS POI connections terminal using SSL/early, TLS encryption.

Step 4: Continuously Monitor Your CDE Protections

Continually, review and audit your controls to prove your efficacy. Also, monitor both the external and internal vulnerability to establish a reliable audit trail hence protecting your data’s integrity. Additionally, if you approach your compliance with an agile workflow, changes to the framework won’t be as stressful, where instead of scrambling to meet the new requirements, you simply schedule a sprint and update your systems.

Effective monitoring should also involve your service vendors.

• How does the vendor’s platform ease your PCI DSS compliance?
• Can the platform offer you an easy-to-read governance system? Choose a platform that informs you of the critical issues as well as your control health status
• The platform should be up-to-date on the ever-changing threat environment.
• You should be able to store your business’ audit findings, and penetration audits on the platform for improved cross- enterprise output.

Bottom Line

Is your online retail company PCI DSS compliant? You should know the PCI DSS level to which you belong. While you may go Scots free for non-compliance, it may lead to the closure of your business.

Author Bio

Ken Lynch is an enterprise software startup veteran, who has always been fascinated about what drives workers to work and how to make work more engaging. Ken founded Reciprocity to pursue just that. He has propelled Reciprocity’s success with this mission-based goal of engaging employees with the governance, risk, and compliance goals of their company in order to create more socially minded corporate citizens. Ken earned his BS in Computer Science and Electrical Engineering from MIT.

You May have the best product, but a complicated payment method scares customers away. With the current shift from the cash systems to online shopping, the retail companies should learn about payment processing solutions for simplified trading. Are you retailer ready to embrace the payment processing system? Learn about Payment Card Industry Data Security Standard (PCI DSS) compliance.

Retail Store PCI Compliance

What is the Payment Card Industry Data Security Standard (PCI DSS)?

Due to increased cases of identity theft in the early 2000s, the top five payment card companies JCB International, MasterCard, American Express, Discover Financial Services, and Visa Inc merged to establish the Payment Card Industry Security Standards Council (PCI SSC).

PCI SSC was to govern payment processing while protecting their clients and businesses. Consequently, the organization established PCI DSS to safeguard information.

What Are The Penalties for Non-Compliance?

Consider complying with the PCI DSS. Though non-compliance will not land you in jail, the decision will adversely affect your business.

To enforce compliance, acquiring banks and card brands are imposing non-compliance fines on retailers. The penalties range from $5,000- $100,000 monthly for each violation. For your startup, such hefty fines push you out of business while large firms also feel the pinch.

Who Needs to Be PCI DSS Compliant?

Does your business accept, store, or transmit, cardholder data? Then you must be PCI DSS compliant.

Is PCI Compliance The Same For All Merchants?

Thankfully, PCI DSS considers your business size based on your annual visa transactions volume. Hence, you belong in one of the following four PCI DSS levels;

1. A merchant who processes over six million Visa transactions annually or one with high-risk levels
2. Any retailer whose annual visa processing transactions range between 1M to 6M irrespective of the type of visa
3. Any merchant who processes a total of 20,000 to 1M e-commerce visa transactions annually
4. A merchant who processes below 20,000 visa e-commerce transactions yearly or any merchant with 1M any visa transactions annually.

 

Your company falls in different tiers such as brick and mortar retailers based on the definition.

How Do You Define Cardholder Data (CHD)?

CHD is any personally identifiable information (PII) associating you to your debit or credit card. Such information comprises of your primary account number (PAN) together with your cardholder name, service code, or expiration date.

What is A Cardholder Data Environment (CDE)?

Scoping your CDE is the trickiest part of PCI DSS compliance. According to PCI DSS, CDE is a network or system which stores, processes or transmits sensitive payment authentication or cardholder data.  Generally, CDE is inclusive of all components linking to a specific network.

Additionally, your CDE comprises of any networks like the wireless one through which data travels. The definition also accounts for network-connecting devices. Such devices are; the workers’ or corporate Smartphone, tablets, laptops, and sophisticated hardware like routers and servers.

What Are Basic Steps to PCI Compliance?

Step 1: Catalog your data assets

Start PCI compliance by scoping your PCI environment then develop policies and procedures. Ensure you identify all your networks including wireless, cellular, terminal, routers, and point-of-service systems

Step 2: Diagram your assets

After identifying what touches your data, diagram the information flow through your environment. While diagramming, review network segmentation to prevent transmission of information from a protected network to an unprotected one.

Step 3: Establish policies, procedures, and controls

PCI DSS compliance states the necessary controls such as firewalls and encryption while defining the specific, acceptable, encryption methods.

Your internal policies should, therefore, discuss the procedure for modifying configurations and passwords on vendor-supplied hardware and software. PCI DSS requires you to personalize their services since the defaults are easy entry points for cybercriminals into your system.

June 30, 2018, marked an end to card-present POS POI connections terminal using SSL/early, TLS encryption.

Step 4: Continuously Monitor Your CDE Protections

Continually, review and audit your controls to prove your efficacy. Also, monitor both the external and internal vulnerability to establish a reliable audit trail hence protecting your data’s integrity. Additionally, if you approach your compliance with an agile workflow, changes to the framework won’t be as stressful, where instead of scrambling to meet the new requirements, you simply schedule a sprint and update your systems.

Effective monitoring should also involve your service vendors.

• How does the vendor’s platform ease your PCI DSS compliance?
• Can the platform offer you an easy-to-read governance system? Choose a platform that informs you of the critical issues as well as your control health status
• The platform should be up-to-date on the ever-changing threat environment.
• You should be able to store your business’ audit findings, and penetration audits on the platform for improved cross- enterprise output.

Bottom Line

Is your online retail company PCI DSS compliant? You should know the PCI DSS level to which you belong. While you may go Scots free for non-compliance, it may lead to the closure of your business.

Author Bio

Ken Lynch is an enterprise software startup veteran, who has always been fascinated about what drives workers to work and how to make work more engaging. Ken founded Reciprocity to pursue just that. He has propelled Reciprocity’s success with this mission-based goal of engaging employees with the governance, risk, and compliance goals of their company in order to create more socially minded corporate citizens. Ken earned his BS in Computer Science and Electrical Engineering from MIT.  Learn more at ReciprocityLabs.com.

 

.