Over the last year, retailers have endured a range of unprecedented challenges. From supply chain and labor force disruptions to strict social distancing protocols, online and brick-and-mortar retailers alike have been forced to adapt their businesses practically overnight in order to retain customer loyalty and compete in the evolving digital economy.
Among the many obstacles that retailers now face, data compliance and security continue to be a major challenge, especially given the high volumes of personally identifiable information (PII) and payment card information (PCI) that retailers process on a daily basis. With ecommerce now representing 21% of total retail sales in 2020 versus 15% in 2019, more retail transactions are occurring virtually than ever before, increasing the volume of data, and more importantly the risk of data being exploited by malicious actors online.
An Introduction to PCI Compliance
To safeguard consumer information in the digital age, the Payment Card Industry Security Standards Council established the Payment Card Industry Data Security Standard (PCI DSS), a set of global security requirements for any business that processes, stores or transmits credit cardholder information. PCI DSS was first released in 2004, but it has since evolved to meet the shifting demands of the electronic payments landscape.
Today, any organization that handles PCI must abide by the following practices in order to meet PCI DSS compliance:
Advertisement
- Build and maintain a secure network and systems;
- Protect cardholder data;
- Maintain a vulnerability management program;
- Implement strong access control measures;
- Regularly monitor and test networks; and
- Maintain an information security policy.
However, while PCI DSS has remained the gold standard to protect cardholder information for more than 15 years, global compliance with PCI DSS has dwindled. In fact, only 30% of businesses were compliant with PCI DSS in 2020, according to a recent study from Verizon’s Payment Security Report.
Tips for Meeting PCI DSS Compliance
As the global economy re-emerges from the pandemic, retailers must continue to remain vigilant and proactive to protect cardholder information and meet PCI DSS compliance. Here are some important steps that organizations can take to focus on securing customer information to become compliant:
- Complete a gap analysis. This is a step that any retailer can take to proactively protect cardholder information and identify any unknown exposures or “gaps.” A comprehensive gap analysis incorporates a detailed discovery of any cardholder details hiding in storage locations across the entire network. This enables a far more accurate assessment of the state of PCI DSS risk and compliance, and analyzes how data is currently being collected, handled and stored.
- Conduct frequent employee education sessions. Employees are an organization’s first line of defense to protect customer data. Retailers should proactively teach all employees about proper data handling and secure storage practices. Where possible, empower a dedicated person to lead these efforts, such as a chief data or chief privacy officer, to direct all training initiatives on an ongoing basis.
- Leverage technology. While employees are important gatekeepers of company data, they should not be regarded as the only ones in charge of maintaining and understanding compliance. Often companies fall out of compliance due to heavy reliance on manual processes and tasks being executed by people. There are many technologies available that can automate monitoring and compliance and generate alerts only when real issues arise. For example, a modern PCI discovery solution can notify specific team leaders or departments when insecure credit card data storage appears so that the risk can be quickly remediated, and ultimately ensure no gap in PCI DSS compliance occurs.
- Prepare for a possible data breach. Retailers should have an updated and readily available incident response plan for potential data breaches. A well-constructed incident response plan should include a clear communication strategy to employees and stakeholders on how to handle the situation, and incorporate post-incident analysis to mitigate future risks. Maintaining a well-rehearsed incident response plan will help create transparency and preserve trust among employees and customers and minimize the potential damage caused by an incident.
Retailers should not regard PCI DSS compliance as a ‘one and done’ effort. Compliance standards are constantly evolving and organizations must continuously adapt their security practices to safeguard cardholder information and make this effort a core component of their brand identity.
Stephen Cavey is Co-founder and Chief Evangelist at Ground Labs, leading a global team empowering its customers to discover, identify and secure sensitive data across their organizations. As the Chief Evangelist, Cavey leads its worldwide product development, sales and marketing and business operations and was instrumental in extending Ground Labs’ presence with enterprise customers. He has deep security domain expertise with a focus on electronic payments and data security compliance. Cavey is a frequent speaker at industry events on topics related to data security, risk mitigation and cybersecurity trends and futures. He started Ground Labs after holding engineering and leadership positions at Paycorp Holdings (now part of MYOB), a provider of integrated electronic payments solutions, and Webpay, a payment services provider later acquired by Fidelity.
