by Ramona Carr

What the Retail Industry Needs to Know About PCI Compliance


As a retailer, protecting your customers’ sensitive information is your most important obligation. With news of devastating data breaches constantly in the headlines, you need to take steps to ensure that credit and debit card information is always stored, processed and transmitted securely.

The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle credit cards. The first version of PCI DSS was released in 2004, with the most recent update to the standards arriving in April 2016.

PCI standards were created as a way to ensure that retailers have greater control over sensitive credit card information in their possession and take steps to prevent data theft and fraud. Any business or retailer that handles credit card information is required to be compliant with the PCI standards, and the penalties for non-compliance are severe: as high as $100,000 every month or $500,000 per security incident.

In order to avoid fines, prevent damage to your reputation, and to improve your trustworthiness among customers, it’s important for you to take PCI standards seriously. This article will help you determine whether your business is up to snuff when it comes to retail PCI compliance.

What Are the Types of PCI Standards?

PCI DSS is only one part of the PCI standards that companies may need to comply with. The full list of PCI standards is as follows:

  • PED (PIN Entry Device) standards: The PCI PED standards apply to companies who manufacture payment devices that accept PIN numbers. This includes credit card readers, of course, but also ATMs, gas pumps, ticket kiosks and more. PED is the part of complete PCI DSS compliance that focuses on PoS (point of sale) terminals that use PIN numbers.
  • PA-DSS (Payment Application Data Security Standard): The PA-DSS standard focuses on software applications that store and process cardholder data. This standard ensures that these channels of payment also comply with PCI DSS.
  • DSS (Data Security Standard): PCI DSS is the overall standard that a company must meet in order to call itself “PCI compliant.” PCI DSS includes comprehensive security practices that assess the organization’s policies, procedures, network architecture, and software.

What Are the Different Levels of PCI Compliance?

Credit card companies such as Visa and MasterCard, which make up the PCI Security Standards Council, have defined four different PCI compliance levels for merchants. The level that a retailer is assigned to is determined by its yearly transaction volume. In addition, companies that have suffered a data breach resulting in compromised credit card information may be moved to a higher level.

The four levels of PCI compliance are:

  • Level 4: Retailers who process less than $20,000 in yearly e-Commerce transactions.
  • Level 3: Retailers who process between $20,000 and $1 million in yearly e-Commerce transactions.
  • Level 2: Retailers who process between $1 million and $6 million in yearly e-Commerce transactions.
  • Level 1: Retailers who process more than $6 million in yearly e-Commerce transactions.

Retailers at all levels must meet the requirements of the PCI standards, but smaller merchants face fewer validation requirements. For example, small Level 4 retailers are required to complete a yearly self-assessment questionnaire, as well as have an approved vendor perform a network scan several times a year. On the other hand, Level 1 retailers might be required to have a qualified internal or external security assessor report on the company’s PCI compliance at regular intervals.

Why Is PCI DSS So Important for Retailers to Understand?

You shouldn’t treat PCI compliance as merely another box that your business needs to check. Understanding PCI DSS and its effects on your retail practices is essential in this era of data (in)security.

For one, being compliant with the PCI standards can help retailers protect themselves against data breaches and lessen their consequences if they occur. According to Verizon’s 2015 PCI Compliance report, for example, none of the company’s customers who were in compliance with PCI standards have gone on to experience a data breach. What’s more, of the companies that did fall victim to breaches, none of them were in compliance with two critical PCI requirements: maintaining systems and software security, and logging and monitoring.

We mentioned earlier that there are penalties for noncompliance. Even though PCI standards are not a law but a set of industry standards, the fines can be severe. Banks and other financial institutions may impose penalties from $5,000 to $500,000 on non-compliant organizations. Perhaps even worse, the acquiring bank may choose to revoke the merchant’s ability to accept credit cards, which would be a crippling strike for many retailers.

However, PCI compliance isn’t a panacea for retailers concerned about data security. Think of PCI as table-stakes — the minimum necessary.  A retailer that follows the PCI standards may still sustain an attack that results in a data breach. Even if a business is fully compliant with PCI standards, a breach can cost up to $90 per compromised card and potentially result in a suspension of their ability to accept cards as well as the risk of legal action.

Final Thoughts

The Zettaset XCrypt Data Encryption Platform, with its ability to protect enterprise data-at-rest and data-in-motion, can be instrumental in helping retail organizations achieve PCI DSS security compliance. Zettaset’s platform addresses the critical portions of the PCI DSS v3.2 compliance control set for PCI DSS compliance requirements 3, 4, 7, 8 and 10, while also supporting additional components of the PCI DSS compliance requirements.

Zettaset’s advanced data encryption solutions can help e-commerce and online retailers, as well as brick-and-mortar retail organizations, to meet PCI DSS v3.2 compliance requirements. The platform gives users a transparent, centrally managed feature set that’s easy to deploy without the need to make changes to existing operational processes.

Want to learn more about XCrypt data encryption solutions? Check out our application brief to learn how you can protect your data and make your sensitive information safe from attackers.