As a retailer, protecting your customers’ sensitive information is your most important obligation. With news of devastating data breaches constantly in the headlines, you need to take steps to ensure that credit and debit card information is always stored, processed and transmitted securely.
The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle credit cards. The first version of PCI DSS was released in 2004, with the most recent update to the standards arriving in April 2016.
PCI standards were created as a way to ensure that retailers have greater control over sensitive credit card information in their possession and take steps to prevent data theft and fraud. Any business or retailer that handles credit card information is required to be compliant with the PCI standards, and the penalties for non-compliance are severe: as high as $100,000 every month or $500,000 per security incident.
In order to avoid fines, prevent damage to your reputation, and to improve your trustworthiness among customers, it’s important for you to take PCI standards seriously. This article will help you determine whether your business is up to snuff when it comes to retail PCI compliance.
PCI DSS is only one part of the PCI standards that companies may need to comply with. The full list of PCI standards is as follows:
Credit card companies such as Visa and MasterCard, which make up the PCI Security Standards Council, have defined four different PCI compliance levels for merchants. The level that a retailer is assigned to is determined by its yearly transaction volume. In addition, companies that have suffered a data breach resulting in compromised credit card information may be moved to a higher level.
The four levels of PCI compliance are:
Retailers at all levels must meet the requirements of the PCI standards, but smaller merchants face fewer validation requirements. For example, small Level 4 retailers are required to complete a yearly self-assessment questionnaire, as well as have an approved vendor perform a network scan several times a year. On the other hand, Level 1 retailers might be required to have a qualified internal or external security assessor report on the company’s PCI compliance at regular intervals.
You shouldn’t treat PCI compliance as merely another box that your business needs to check. Understanding PCI DSS and its effects on your retail practices is essential in this era of data (in)security.
For one, being compliant with the PCI standards can help retailers protect themselves against data breaches and lessen their consequences if they occur. According to Verizon’s 2015 PCI Compliance report, for example, none of the company’s customers who were in compliance with PCI standards have gone on to experience a data breach. What’s more, of the companies that did fall victim to breaches, none of them were in compliance with two critical PCI requirements: maintaining systems and software security, and logging and monitoring.
We mentioned earlier that there are penalties for noncompliance. Even though PCI standards are not a law but a set of industry standards, the fines can be severe. Banks and other financial institutions may impose penalties from $5,000 to $500,000 on non-compliant organizations. Perhaps even worse, the acquiring bank may choose to revoke the merchant’s ability to accept credit cards, which would be a crippling strike for many retailers.
However, PCI compliance isn’t a panacea for retailers concerned about data security. Think of PCI as table-stakes — the minimum necessary. A retailer that follows the PCI standards may still sustain an attack that results in a data breach. Even if a business is fully compliant with PCI standards, a breach can cost up to $90 per compromised card and potentially result in a suspension of their ability to accept cards as well as the risk of legal action.
The Zettaset XCrypt Data Encryption Platform, with its ability to protect enterprise data-at-rest and data-in-motion, can be instrumental in helping retail organizations achieve PCI DSS security compliance. Zettaset’s platform addresses the critical portions of the PCI DSS v3.2 compliance control set for PCI DSS compliance requirements 3, 4, 7, 8 and 10, while also supporting additional components of the PCI DSS compliance requirements.
Zettaset’s advanced data encryption solutions can help e-commerce and online retailers, as well as brick-and-mortar retail organizations, to meet PCI DSS v3.2 compliance requirements. The platform gives users a transparent, centrally managed feature set that’s easy to deploy without the need to make changes to existing operational processes.
Want to learn more about XCrypt data encryption solutions? Check out our application brief to learn how you can protect your data and make your sensitive information safe from attackers.