To grow your retail business, you need a product — and just as important, an easy way for customers to pay for your product.
And as ever more people use credit cards rather than cash, and more people shop online rather than in stores, that means retailers must implement payment processing solutions that make electronic transactions easier for the customer to execute.
It also means, however, that retailers must educate themselves on Payment Card Industry Data Security Standard (PCI DSS) compliance.
What are the Types of PCI Compliance Standards?
As identity theft threats rose in the early 2000s, the five major credit card companies (American Express, Discover Financial Services, JCB International, MasterCard, and Visa) banded together to create the Payment Card Industry Security Standards Council (PCI SSC).
The organization then created a set of information security standards governing how to process electronic payments — including how retailers should protect customers’ credit card data, as well as the retailers’ own systems.
The result was a PCI compliance guide of “best practices” for retail service providers to protect point-of-sale (POS) information and prevent data breaches.
Those PCI standards aren’t a one-size-fits-all set of requirements that apply to all retailers equally. So as a first step to comply with PCI standards, it’s essential to understand which type of PCI standard category your business falls into. Then you can move forward more easily with understanding your regulatory and compliance requirements.
The types of PCI standards are as follows:
- PCI DSS (Data Security Standard): PCI DSS is the overall standard that a company must meet to call itself “PCI compliant.” PCI DSS assesses the retailer or organization’s policies, procedures, controls, and software.
- PED (PIN Entry Device) standards: The PCI PED standards apply to companies that manufacture payment devices that accept PINs and sensitive credit card information.
- PA-DSS (Payment Application Data Security Standard): The PA-DSS focuses on the storage and privacy of cardholder data. This standard ensures that the payment processor complies with PCI DSS.
Your Options for Achieving Retail PCI Compliance
The good thing about PCI DSS is that it takes company size into consideration. Using transaction volume over a 12-month period, PCI DSS requirements are split into four different levels to help ease some of the burdens on small businesses with lesser requirements for business needs.
PCI levels of compliance are defined as:
- Level 1: Any merchant processing more than 6 million transactions of any type per year. Credit card companies also warn that if they believe a merchant poses a large risk, they may decide to classify that company as Level 1.
- Level 2: Any merchant processing 1 million to 6 million transactions of any type per year.
- Level 3: Any merchant processing 20,000 to 1 million e-commerce transactions per year.
- Level 4. Any merchant processing fewer than 20,000 e-commerce transactions per year, or any merchant processing up to 1 million transactions per year of any type.
For most retailers, the important thing to keep in mind is that online retailers may be in a different tier from brick and mortar retailers, based on the above definitions.
To demonstrate PCI compliance, Level 1 businesses will need an on-site audit by a Qualified Security Assessor (QSA) or an Internal Security Assessor. If you pass the audit, the assessor will file a Report on Compliance (ROC) with your acquiring bank.
Mid-size and smaller enterprises (Levels 2, 3, and 4) may be able to forgo the audit, and instead complete a self-assessment questionnaire (SAQ) and file an Attestation of Compliance (AOC).
How a Retailer Becomes PCI Compliant
1. Determine your risks
Scrutinize all the PCI requirements and directives, and determine which pertain to your enterprise.
Doing this will take some time, but will pay off in the long run by saving you and your Qualified Security Assessor (QSA) or Internal Security Assessor work come audit time, or as you’re completing your self-assessment questionnaire (SAQ).
You can find these questionnaires on the PCI Security Standards Council website.
Requirements address the security of your customer data environment (CDE) from end to end. They cover access control, your information security policy and parameters, maintaining a secure network, your vulnerability management program, and more.
2. Create a mitigation plan to address each risk
Examine each item on your list of relevant directives and ask, “How well does my organization comply?”
Create a secure system for data protection, financial data, and sensitive information, especially for e-commerce transactions.
If your company collects debit cards or credit card information like MasterCard, Visa, American Express, or Discover, you need a highly secure system. The PCI Security Standards Council dictates retail transactions for retailers.
Not only do you need a secure system; you also need mechanisms that protect the perimeters of your payment processing system.
Make sure to install and maintain a firewall configuration to protect cardholder data and create secure strong passwords with a security system for only authorized users. Any card transactions need to withstand PCI DSS requirements.
3. Test your controls
Your security controls then need validation. You must ensure that each of your remediation controls adequately mitigates each associated risk.
Furthermore, testing should be routine and done on an ongoing basis to ensure that controls are still doing their job and to make updates as needed.
4. Document your risk assessment, control plans, and testing results
Having documentation of your compliance efforts will save your auditor time and work, and save your enterprise money.
For a more in-depth look into PCI requirements, check out our PCI Compliance Checklist.
What Are The Penalties for Non-Compliance?
If you find yourself asking, “Do I need to be PCI compliant?” — the short answer is that regardless of your size or industry, any organization that accepts, transmits, or stores cardholder data must maintain PCI compliance.
Since PCI DSS is considered a “standard” rather than a regulation, many merchants incorrectly assume compliance is optional. While noncompliance may not lead to jail time, it does come with consequences that could lead to unnecessary expense or even business failure.
Some of the penalties include fines (potentially quite onerous), extra remediation costs, or even losing access to the credit card payment system. Businesses that aren’t PCI-compliant may be vulnerable to legal implications as well — say, other regulators imposing sanctions because your non-compliance caused a privacy breach; or consumers themselves filing litigation against your business.
Card brands and acquiring banks can, at their discretion, fine non-compliant merchants anywhere from $5,000 to $100,000 per month for a violation. For a small retailer, these fines can end business operations. While large organizations can handle the fees, their bottom lines still suffer.
How ZenGRC can ease the burden of PCI DSS compliance for retailers
People typically associate governance, risk, and compliance (GRC) programs with an organization’s cybersecurity. The retail industry, however, is particularly obliged to meet PCI compliance standards.
The need for reliable GRC software is crucial to protecting your bottom line, your business integrity, and most importantly, the privacy and confidentiality of your customers who trust your business to protect against security breaches.
With ZenGRC, organizations can rapidly deploy a governance system that provides easy-to-read insights. For example, our PCI DSS compliance dashboard allows organizations to review control health at a glance, while also listing critical issues facing the organization.
ZenGRC’s ongoing monitoring abilities provide updated, in-the-moment insights enabling organizations to continually respond to changing threats and vulnerabilities in a continuously evolving threat environment.
Moreover, organizations can store their penetration test and audit findings on the ZenGRC platform to help enable better cross-enterprise outcomes.
With ZenGRC, you can stay compliant with retail PCI requirements with complete views of control environments, easy access to sensitive information, keep with PCI SSC regulations, and continual compliance for the benefit of your retail business and your customers.
To learn more about how ZenGRC can assist your business’ PCI requirements contact us now for your free consultation and demo.