Understanding PCI compliance
November 05, 2014

As a retailer, the ability accept credit card payments is not something that is simply implemented. In a time of data breaches and security concerns for consumers, there is a great need for confidence among brick-and-mortar stores that people's sensitive information is not being compromised and used for malicious purposes. The Payment Card Industry is looking to address that problem as fast as they can while the EMV transition continues slowly. One way this is being done is through creating security standards that retailers are expected to comply with. Being able to show compliance on card security will make consumers more trustworthy of physical storefronts.

A new set of standards
The PCI Security Standards Council created the Data Security Standard in 2008 to address increasing concerns about consumer data being compromised or stolen by cybercriminals. The SSC is helmed by the leading credit card networks, including Visa, MasterCard and Discover, which gives them the ability to enforce the standard. The DSS, which was last updated in November 2013, applies specifically to any company that is capable of storing and processing card data. In other words, any merchant or store that accepts debit card payments must comply with the PCI DSS.

Complying with PCI DSS is a three-step process. The first step is assessment of the data security situation at the store, in particular how the business is storing data. If there are vulnerabilities uncovered by a retailer, it must go out of its way to fix them when they are found. Then, it must regularly report on its customer data and whether there have been any attempts to breach security.

There are 12 requirements to the PCI DSS that retailers must follow. The first set of goals is building a secure network for the transmission of card data, which means installing a firewall in the store's network and developing unique passwords and security parameters that are different from the hardware factory defaults. The second set is protecting stored cardholder data and encrypting data transmissions over open networks. The next group of requirements is updating anti-virus software regularly and using secure systems and applications as part of vulnerability management. Strong access control procedures also need to be integrated, such as restricting employee access to cardholder data, making sure each person has a unique ID and limiting physical access to card data. With all these requirements, a retailer must then have a system to monitor user access to the network and cardholder data, with regular tests to its security. Finally, the company must have information security policy that ensures that everyone knows the stakes in complying with PCI.

Nexus: G-WEBCD1