How to Achieve Payment Card Industry Compliance: 5 Simple Steps

For small retailers, meeting the Payment Card Industry Data Security Standard requirement poses different challenges than it does for large merchants. Many large merchants have already faced fines and operation restrictions for noncompliance, something that small retailers can't afford to face. With little in-house expertise on the subject, compliance with the Payment Card Industry Data Security Standard can be challenging for smaller businesses. Knowledge Center contributor Evelyn de Souza explains how small retailers can achieve PCI compliance in five simple steps.


Of approximately 6 million small merchants in the United States, it is estimated that as few as 20 percent are complying with the Payment Card Industry Data Security Standard (PCI DSS). Many small retailers are using vulnerable payment operations and may have inadequate security practices in place, making them a significant threat to data security.

By 2010, the PCI Security Standards council will implement Visa's Payment Application Data Security Standard (PA-DSS) to help software vendors develop secure payment applications that do not store prohibited data, and to ensure their payment applications support compliance with the PCI DSS. This will certainly have a measurable impact on small retailers as well.

Small retailers can better protect credit card data obtained while selling offline, online, through catalogs or even from kiosks. To start, PCI DDS compliance should be considered an enabler to an ongoing road of tighter security rather than as a penalty. The following are five simple strategies for complying with PCI DDS, recommended specifically for small retailers:

Strategy No. 1: Store ONLY what you need

Most businesses don't need to store payment card data. In fact, you're better off not storing customer credit card data altogether. Transmitting credit card data directly to a third party or outsourcing payment processing can greatly reduce the scope of PCI by eliminating the need to follow storage security guidelines.

Strategy No. 2: Ensure your payment applications are secure

Only implement technology that adheres to the PA-DSS to ensure you are in compliance. Refer to a list of validated applications, available here.

Strategy No. 3: Consider outsourcing operations, especially payment processing

By eliminating the need to build an internal infrastructure for payment processing, it enables you to focus on your core business. It also helps reduce the number of security measures you have to put in place.

Strategy No. 4: Never store PIN data

With many intricate steps required to properly process, encrypt and protect PIN data, it is better not to store any sensitive authentication data in-house.

Strategy No. 5: Protect cardholder receipts

Securely store any receipts that are retained as a paper record of a transaction and/or for voucher recovery. Often, full credit card numbers appear on these receipts, so protecting them is critical.

PCI compliance is crucial to protecting consumer information, but to small retailers it may seem overwhelming. But a few simple steps can start them on the road to securing data and achieving compliance, and save a world of pain down the road. /images/stories/heads/knowledge_center/DeSouza_evelyn70x70.jpg

Evelyn de Souza is senior manager of Risk and Compliance Solutions at McAfee. Evelyn is responsible for developing holistic solutions for compliance initiatives such as PCI DSS, as well as marketing McAfee's policy auditing and remediation solutions. Evelyn is a strong proponent of building automated, repeatable processes that enable organizations to sustain compliance while optimizing security posture and reducing costs.

Evelyn is a passionate security professional with more than eight years in the IT security industry. She enjoys engaging with industry analysts and with McAfee customers and partners to discuss industry trends. Evelyn holds a B.A. degree with honors in music from Monash University in Melbourne, Australia. She can be reached at [email protected].