Retail IT, Security

PCI Compliance Guide for Retailers

It’s evident that hacking and online theft have become problematic for retail businesses more than ever. Over the past two years, a variety of major retail brands have been hacked, potentially exposing the private payment information of millions of customers. This includes popular, household names like Macy’s, Best Buy and Forever 21. With the resources of these brands, one would think that they could keep their companies protected from the dangers of cyber attacks, but unfortunately, this does not seem to be the case.

This is of grave consequence as one study suggested that nearly 20% of consumers would stop shopping at a company’s store after just one hack. Another 50% would wait for an extended period before shopping with a business again. This duration could be upwards of a year, by which point a smaller retailer could be dead in the water.

Luckily, there is a framework that has been created to help retailers lower their risk of cyber breach and secure the private credit card data that is passing through their systems. The mandate that enforces this framework is known as PCI compliance. This article was written to help retailers quickly understand PCI compliance, what it is, who needs it, and the options they have available for them to meet compliance requirements.

PCI Compliance Overview

PCI compliance, also commonly known to merchants and retailers as PCI DSS compliance, is a security standard applicable to every business or organization that processes, stores or transmits credit cardholder information. This includes everything from Visa to Mastercard and many more. “PCI DSS” stands for Payment Card Industry Data Security Standard and we’ll go over this standard in more detail later on in this guide.

PCI compliance was first set up and designed in 2004. This was when the different credit card companies banded together to form the Payment Card Industry Security Standards Council, or PCI SSC, in an effort to set standards for security and ultimately protect customers’ payment data from getting into the wrong hands. It is important to note that the council’s guidelines are constantly being updated as hackers find new ways to gain access to retailer networks and cybersecurity standards and technologies evolve. The latest version, PCC DSS v3.2.1 was released in May 2018.

Who PCI Compliance Applies To

Many retail business owners are mistaken in believing that only certain companies and sectors need to be PCI compliant. However, this is not quite true. Individual credit card companies tend to have their own levels and standard for compliance, but PCI compliance is the set standard that they all follow. As such, if your business involves online transactions using credit cards, then you do need to be PCI compliant. This includes virtually any e-commerce business, many retail stores operating online, and any company accepting payments using credit cards. If retailers want to process, store, or transmit credit card data, PCI compliance is a must.

However, it’s worth noting in many countries including the United States, PCI DSS is not law. Although some laws do refer to it directly. In some states such as Nevada, Washington, and Minnesota, PCI compliance has been incorporated into law. While still not legally required, it shields any businesses that suffer a breach from liability.

Retailers also need to know that the requirements to reach PCI compliance do apply to all merchants. This doesn’t change based on the level of transactions or the size of the business. Essentially, this means that small businesses are held to the comparatively same standards as large corporations.

Penalties for Non-Compliance

If retailers choose to take credit card information without being PCI compliant, then they are leaving their business open to cyber breaches and significant financial risk. Retailers can face large fines that can put a substantial dent in their bottomline. Fines can be as high as $100,000 and the impact from negative press and word-of-month can also be damaging. The fines that a retailer pays will depend on the volume of data affected and the specific requirements of PCI compliance that were violated.

PCI DSS Compliance Requirements

The PCI Data Security Standard (PCI DSS) is the global security standard for all merchants and retailers. This standard is based on 12 requirements from 6 goal categories and all must be met in order to achieve compliance. These requirements are as follows:

  1. Build and Maintain a Secure Network and Systems
    • Requirement 1: Install and maintain a firewall configuration to protect cardholder data
    • Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
  2. Protect Cardholder Data
    • Requirement 3: Protect stored cardholder data
    • Requirement 4: Encrypt transmission of cardholder data across open, public networks
  3. Maintain a Vulnerability Management Program
    • Requirement 5: Protect all systems against malware and regularly update antivirus software and programs
    • Requirement 6: Develop and maintain secure systems and applications
  4. Implement Strong Access Control Measures
    • Requirement 7: Restrict access to cardholder data by business need-to-know
    • Requirement 8: Identify and authenticate access to system components
    • Requirement 9: Restrict physical access to cardholder data
  5. Regularly Monitor and Test Networks
    • Requirement 10: Track and monitor all access to network resources and cardholder data
    • Requirement 11: Regularly test security systems and processes
  6. Maintain an Information Security Policy
    • Requirement 12: Maintain a policy that addresses information security for all personnel

These are summaries of each section within version 3.2.1 of PCI DSS documentation. For a complete breakdown of the requirements, please see the complete document.

Options Available to Retailers for Compliance

Retails have two options available to them when meeting PCI Compliance requirements. They can either take the Do-it-Yourself approach or hire an IT Services Company that specializes in IT Services for retail customers and has experience with PCI compliance.

Option 1: The Do-it-Yourself Approach

Many large retailers may have the resources and staff on hand (such as an internal IT department) to be able to meet the compliance requirements above on their own. Most IT departments will have the knowledge to implement the security standard outlined above. To be sure that compliance is met, the PCI Standards Council has made available a Self-Assessment Questionnaire which includes a series of Yes/No questions for each applicable PCI DSS requirement.

Option 2: Outsource to a Managed IT Services Company

Many retailers, even those with internal IT departments, opt to outsource their PCI Compliance requirements to a Managed Service Provider (MSP) who offers IT services for retail customers. They choose to do this because they either don’t have the resources and expertise, or they’re concerned about pulling their current IT staff resources away for a PCI compliance project. MSPs not only can help their retail customers with the task of complying with PCI DSS, but offer many benefits that extend far beyond just PCI compliance. These include such things as IT support, cloud hosted solutions, IT infrastructure design and maintenance, cybersecurity, and much more. An MSP will manage and maintain all aspects of a retailer’s IT infrastructure and ensure that their technology is functioning at its optimal level, while minimizing downtime, so the retailer can focus on their business and accomplish their goals. For more information about this subject, see our page on Managed IT Services.

While working with an MSP for PCI compliance specifically, the process will look something like this:

Gap Analysis A qualified MSP will fully understand PCI security standards that each business needs to meet to become compliant. They will also be aware of the latest changes and updates to these standards and regulations. The MSP will complete a Gap Analysis which is a process that documents the current state of the retailer’s IT infrastructure, how it handles data, and then compares it with the standards laid out in the latest version of PCI DSS.

Remediation The Gap Analysis then serves as a working document for the Remediation phase. The Remediation phase is the actual work that is performed to get the retailer to meet compliance. Based on the findings in the Gap Analysis, remediation may be as simple as a few inexpensive updates, or a complete overhaul or rebuild of the IT infrastructure.

Regular Monitoring and Testing of Networks A key part of ensuring that a retail business maintains PCI compliance is testing security protocols regularly. A qualified MSP will be able to do this and ensure that there are no issues that could cause a retailer to fail a compliance audit or potentially leave them liable for a security breach. MSPs can complete this testing on a regular basis and even on a set schedule. In doing so, retailers can rest assured that their business is always in compliance with the latest cybersecurity standards.

Reaching Out for Help

On its surface, PCI compliance has a list of 12 broad standards that an organization must comply with. Yet under the surface there are more than 200 subdivisions that may or may not be relevant to your specific business. Achieving and maintaining PCI DSS compliance can be a complex process for any size business, with or without an IT department. Knowing when to reach out to a specialized company is the key.

At IronEdge, we minimize IT risks and help secure your business assets from malicious cyberattacks. Sign up for a free PCI compliance assessment or watch our video on the security best practices for 2021.

Ryan Lakin