If you have a retail business, you’ll need to ensure that you provide the products as well as an ideal payment method for your customers. As technology advances, more people are embracing online shopping and the use of alternative payment methods. As such, the retail industry should find payment processing solutions to ease their work and enhance the growth of their outlets.
Also, if you’re a merchant interested in payment process system investment, then you need to familiarize yourself with the Industry Data Security Standard (PCI DSS) compliance requirements.
PCI Compliance by Retail Stores
What does PCI DSS Stand for?
PCI DSS is the Payment Card Industry Data Security Standard established to curb the rise of identity thefts in the early 2000s. The five large payment card companies including American Express, JCB International, Discover Financial Services, MasterCard, and Visa developed the PCI DSS with the aim of creating standards to guide payment processing.
Penalties for Non-Compliance
PCI DSS is more of a standard than a regulation which makes many money transfer merchants assume that compliance is optional. The failure to comply will not take you to jail but it carries a significant risk of failure for your business.
Also, various card brands and acquiring banks are at liberty to impose fines on PCI DSS non-compliant merchants. The fine can range between $5,000 and $10,000 every month. If you’re a small retailer, then you’ll opine that these fines have the potential of ending your business.
Who Needs to Be PCI DSS Compliant?
Every business should comply with these standards to guarantee the security of the customer as well as the investors. This should occur irrespective of the size or industry category of your business. It is particularly important for all the businesses that accept, stores, and transmits cardholder data.
Is the PCI Compliance the Same for All Merchants?
This compliance considers the size of your company depending on the Visa transactions over a period of 12 months. The PCI DSS is split into four levels to ease compliance for small companies. They include:
- Merchants processing above six million Visa transactions of any type per year. Also, if a merchant poses a significantly larger risk, VISA places the company as Level 1
- Merchants processing between 1 million and 6 million of any type every year
- Merchants processing 20,000 to 1 million Visa E-commerce transactions every year
- Merchants processing less than 20,000 Visa e-commerce transactions per year or those processing up to 1 million Visa transactions of any type every year
What’s crucial for retailers is to realize is that online retailers may be in a different tier from brick and mortar retailers based on their definitions.
What is Cardholder Data?
Cardholder Data (CHD) refers to any personally identifiable information (PII) which can be used to link that particular individual to a credit or a debit card. Such information includes the primary account number (PAN) as well as the cardholder name, service code, or expiration date.
What is a Cardholder Data Environment?
Scoping your CDE remains one of the most challenging parts of PCI DSS compliance. The PCI DSS defines it as the system that stores, processes, and/or transmits cardholder data or any other sensitive payment authentication data. Also, the CDE includes all the parts that connect to this system. As such, it includes networks such as a wireless network that data travels through as well as devices including laptops, tablets, smartphones, and other complex hardware.
Basic Steps to PCI Compliance
Step 1: Catalog your data assets
Scoping your PCI environment is necessary before you start formulating policies and procedures for your organization. You should determine the type of network to use including cellular, wireless, routers, and terminal and point-of-service systems.
Step 2: Diagram your assets
The initial step involves identification after which you should draw a diagram of how data flows across your environment. This involves reviewing network segmentation that’s required for the proper flow of information in a protected network.
Step 3: Establishing policies, controls, and procedures
PCI DSS defines all the controls necessary for compliance. It highlights the need for firewalls and encryption as well as elaborate on the ideal encryption methods. For example, the standard explains the specific cryptographic and encryption methods necessary to adhere to the compliance obligation.
Ensure that your internal policies clearly articulate the process that will be involved when changing default passwords and configurations on software and hardware supplied by vendors. The merchants are obliged to personalize their services to prevent easy pathway for hackers. Also, card-present POS POI terminal connections have been disallowed to apply SSL/early TLS encryption since June 30, 2018.
Step 4: Continuous Monitoring of Your CDE Protection
You should regularly review your controls as well as engage audits to prove your control effectiveness. To ensure success in auditing, engage in both internal and external vulnerability monitoring to show that threats cannot compromise the integrity of your data.
Ken Lynch is an enterprise software startup veteran, who has always been fascinated about what drives workers to work and how to make work more engaging. Ken founded Reciprocity to pursue just that. He has propelled Reciprocity’s success with this mission-based goal of engaging employees with the governance, risk, and compliance goals of their company in order to create more socially minded corporate citizens. Ken earned his BS in Computer Science and Electrical Engineering from MIT. Learn more at ReciprocityLabs.com.