If you want to boost the growth of your retail business, you must have a product and an easy-to-use payment method for your customers. As additional people shop online and fewer individuals use cash, the retail industry needs to channel its focus towards payment processing solutions that simplify their job. However, as a merchant seeking to purchase a payment process system, you have to learn about the Payment Card Industry Data Security Standard compliance.
Retail Store PCI Compliance
What does PCI DSS mean?
With the rise of identity theft, especially in the early 2000s, five of the leading payment card entities in the world including Visa, Inc., MasterCard, JCB International, American Express and Discover Financial Express joined forces to establish the Payment Card Industry Security Standards Council or PCI SSC. The organization was driven by the goal to come up with a series of standards relating to the processing of payments in a bid to safeguard their clients and themselves as well.
PCI SCC ultimately established best practices for safeguarding information, which is now referred to as PCI DSS.
What Penalties accompany Noncompliance?
PCI DSS is known as a standard instead of a regulation. As such, most merchants make the mistake of assuming compliance is optional. Even though noncompliance does not result in jail time, it is accompanied by various consequences that cause business failure.
At their discretion, card companies and acquiring banking institutions penalize non-compliant merchants from anywhere between $5,000 to a tune of $100,000 each month for any violation. In fact, for small retailers, such huge fines can cause them to close their business activities. Even though big organizations can pay the fines, their bottom lines are affected.
Who requires being PCI DSS Compliant?
Irrespective of the size of your industry or business, any business or entity that accepts, conveys or even stores cardholder information always must be PCI compliant.
Is PCI Compliance Similar for All Merchants?
The advantage of PCI DSS is that it factors in a company’s size. Utilizing Visa transaction volume for one year, PCI DSS is divided into four levels to assist in lifting some of the burden borne by small entities.
Visa defines this level as:
Any merchant that processes different types of Visa transactions exceeding six million per year. Visa also says that if it suspects that a merchant poses considerable risk, it can decide to make that particular entity a Level 1.
- Any merchant that processes Visa transactions ranging between 1 million and 6 million per year.
- Any merchant that processes Visa e-commerce transactions of between 20,000 and million each year.
- Any merchant that processes Visa e-commerce transactions of less than 20,000 per year or one that handles transactions of up to 1 million per year.
- For many retailers, the vital thing to bear in mind is that online retailers might not be in the same tiers with brick and mortar retailers from the definitions.
What does Cardholder Data mean?
Cardholder data (CHD) entails any personally identifiable information that connects a person to a debit or credit card. The information comprises the primary account number coupled with either the service code, expiration date or cardholder name.
What is the Cardholder Data Environment?
The most challenging bit about PCI DSS compliance revolves around scoping your cardholder data environment. PCI DSS refers to CDE as any network or system that stores, processes, or conveys delicate payment authentication data or cardholder data. PCI SSC also defines cardholder data environment by including every component that supports or links to this network.
Basic Steps for PCI Compliance
Step 1: Document your Data Assets
Before creating procedures and policies, scoping your PCI environment is essential. You need to determine what networks to use including routers, cellular networks, wireless networks as well as point-of-service and terminal systems.
Step 2: Put your assets in a Diagram.
Identification serves as the first step. After identifying what accesses your information, you must diagram the process by which data flows throughout your environment. This undertaking involves assessing the network segmentation to ensure that information transmitted between a protected and unprotected network.
Step 3: Create policies, controls, and procedures
The good thing with PCI DSS is that it describes the necessary controls. Also, aside from defining the need for both encryption and firewalls, it informs you about the acceptable encryption techniques.
You must ensure that all your internal policies describe how to change default configurations and passwords, specifically on both vendor-supplied hardware and software. PCI DSS calls for merchants to individualize their services in a bid to prevent hacking or unauthorized access to your system.
Step 4: Constantly Monitor CDE Protections
Continually monitoring your CDE includes the reviewing of your controls and participating in audits that enable you to verify the effectiveness of your controls. This also includes monitoring your vendors as an insecure CDE on a vendor’s side of your operations can expose you to a variety of risks.
Ken Lynch is an enterprise software startup veteran, who has always been fascinated about what drives workers to work and how to make work more engaging. Ken founded Reciprocity to pursue just that. He has propelled Reciprocity’s success with this mission-based goal of engaging employees with the governance, risk, and compliance goals of their company in order to create more socially minded corporate citizens. Ken earned his BS in Computer Science and Electrical Engineering from MIT. Learn more at ReciprocityLabs.com.