For small retailers, meeting the Payment Card Industry Data Security Standard requirement poses different challenges than it does for large merchants. Many large merchants have already faced fines and operation restrictions for noncompliance, something that small retailers can't afford to face. With little in-house expertise on the subject, compliance with the Payment Card Industry Data Security Standard can be challenging for smaller businesses. Knowledge Center contributor Evelyn de Souza explains how small retailers can achieve PCI compliance in five simple steps.
Of approximately 6 million small merchants in the United
States, it is estimated that as few as 20
percent are complying with the Payment Card Industry Data Security Standard
(PCI DSS). Many small retailers are using
vulnerable payment operations and may have inadequate security practices in
place, making them a significant threat to data security.
By 2010, the PCI Security Standards council will implement Visa's Payment
Application Data Security Standard (PA-DSS)
to help software vendors develop secure payment applications that do not store
prohibited data, and to ensure their payment applications support compliance
with the PCI DSS. This will certainly have a
measurable impact on small retailers as well.
Small retailers can better protect credit card data obtained while selling
offline, online, through catalogs or even from kiosks. To start, PCI DDS
compliance should be considered an enabler to an ongoing road of tighter
security rather than as a penalty. The following are five simple strategies for
complying with PCI DDS, recommended
specifically for small retailers:
Strategy No. 1: Store ONLY what you need
Most businesses don't need to store payment card data. In fact, you're
better off not storing customer credit card data altogether. Transmitting
credit card data directly to a third party or outsourcing payment processing
can greatly reduce the scope of PCI by eliminating the need to follow storage
Strategy No. 2: Ensure your payment applications are secure
Only implement technology that adheres to the PA-DSS
to ensure you are in compliance. Refer to a list of validated applications, available here
Strategy No. 3: Consider outsourcing operations, especially payment
By eliminating the need to build an internal infrastructure for payment
processing, it enables you to focus on your core business. It also helps reduce
the number of security measures you have to put in place.
Strategy No. 4: Never store PIN data
With many intricate steps required to properly process, encrypt and protect
PIN data, it is better not to store any sensitive authentication data in-house.
Strategy No. 5: Protect cardholder receipts
Securely store any receipts that are retained as a paper record of a
transaction and/or for voucher recovery. Often, full credit card numbers appear
on these receipts, so protecting them is critical.
PCI compliance is crucial to protecting consumer information, but to small
retailers it may seem overwhelming. But a few simple steps can start them on
the road to securing data and achieving compliance, and save a world of pain
down the road.
Evelyn de Souza is senior manager of Risk and Compliance Solutions at McAfee. Evelyn is responsible for developing
holistic solutions for compliance initiatives such as PCI DSS,
as well as marketing McAfee's policy auditing and remediation solutions. Evelyn
is a strong proponent of building automated, repeatable processes that enable
organizations to sustain compliance while optimizing security posture and
Evelyn is a passionate security professional with more than eight years
in the IT security industry. She enjoys engaging with industry analysts and
with McAfee customers and partners to discuss industry trends. Evelyn holds a
B.A. degree with honors in music from Monash University in Melbourne, Australia.
She can be reached at firstname.lastname@example.org.