A Guide to PCI DSS for Retailers

Keeping your customers safe

A customer walks into your store, hands you their credit card to pay for a new jacket. They trust you with their financial information, just like they trust you to have a great selection and friendly service. But in today’s digital age, keeping that information secure goes beyond just locked doors. That’s where PCI DSS comes in. It might sound intimidating, but PCI DSS is simply a set of rules designed to do one thing: protect your customers’ payment information throughout the entire transaction process. By understanding these guidelines, you can build trust with your customers, avoid financial penalties, and keep your merchant running smoothly.

Why PCI DSS Matters to Your Customer

Think of PCI DSS as a security shield for your store, safeguarding your customers’ credit card information from potential breaches. Here’s how PCI DSS compliance benefits your merchant:

Happy Customers, Loyal Customers: In today’s digital age, customers are increasingly wary of sharing their financial information online and in stores. By demonstrating your commitment to PCI DSS compliance, you show them you take their security seriously. This builds trust and loyalty, which are essential ingredients for long-term success. Imagine a customer choosing your store over a competitor simply because they feel their information is safer with you.

cyber security, information security, technology-7960243.jpg

Avoiding Costly Fines: Non-compliance with PCI DSS can lead to hefty fines imposed by credit card companies. These fines can significantly impact your bottom line. By following PCI DSS guidelines, you can avoid these financial penalties and keep your hard-earned profits safe. Think of it as an investment in protecting your merchant from unexpected costs.

Keeping Your Merchant Flowing: Certain credit card processors may refuse service to merchantes that are not PCI DSS compliant. This can create a major disruption to your day-to-day operations, as accepting credit card payments is a vital part of most retail merchantes. Maintaining PCI DSS compliance ensures you can continue to process payments seamlessly, keeping your merchant running smoothly and avoiding the hassle of finding a new processor.

Taking Action – Simple Steps with Big Impact

While the specific requirements of PCI DSS may vary depending on the size and complexity of your retail operation, there are some core principles that every merchant owner from small retailers to tier 1 should remember:

Don’t Store Sensitive Data: Never store a customer’s CVV code (the three digits on the back of their credit card). Additionally, avoid writing down any other sensitive information like cardholder names and expiry dates unless absolutely necessary. If you do need to store this information for legitimate merchant purposes, ensure it’s done securely, following industry best practices. Remember, your customers are trusting you with their financial information – treat it with the respect it deserves.

Strong Passwords Are Key: Implement a strong password policy for all systems that access credit card data, including your point-of-sale system. Encourage your employees to create unique passwords that are difficult to guess and require them to change their passwords regularly. Think of strong passwords as the key to your digital vault – the more complex, the harder it is for unauthorized access.

Stay Up-to-Date: Software updates often contain critical security patches that address vulnerabilities exploited by hackers. Make it a habit to keep your operating systems, security software, and point-of-sale system updated with the latest versions to minimize the risk of security breaches. Imagine software updates as security patches for your store’s windows – keeping them up-to-date helps prevent break-ins.

Limit Access Wisely: Restrict access to customer payment information only to employees who absolutely need it to perform their job duties. This helps to minimize the risk of unauthorized access and potential data leaks. Think of limiting access as controlling who gets a key to your store – only those who need it to perform their duties should have it.

Help is Available! (check local equivalents if relevant)

Navigating the world of PCI DSS compliance might seem overwhelming, but you don’t have to go it alone. There are a wealth of resources available to help  merchantes understand and implement the necessary safeguards. Here are a couple of key starting points:

The PCI Security Standards Council (PCI SSC): This official PCI organization offers a variety of resources specifically tailored towards merchants merchantes. Their website provides comprehensive information on PCI DSS requirements, self-assessment tools, and best practices to guide you on your compliance journey. You can access their website at https://www.pcisecuritystandards.org/.

National Retail Federation (NRF): The NRF offers a wealth of resources and educational materials on PCI DSS compliance specifically geared towards the retail industry. Their website and membership programs can provide valuable insights and recommendations. You can find their website at http://nrf.com/.

Imagine your credit or debit card number as a key to your house. You want to keep this key safe, but you also need to use it to make payments. Tokenization is like having a special lockbox where you can securely store your key when you’re not using it. Instead of giving out your actual key every time you make a payment, you give out a unique code, called a token, that represents your key. This token can only be used in specific situations, like at certain stores or for certain types of purchases. Even if someone were to get hold of your token, they wouldn’t be able to figure out your actual key (or card number) because it’s safely stored in the lockbox. This makes tokenization a smart and secure way to protect your payment information while still being able to make purchases easily and safely, especially as more people use mobile devices and wearables for payments.

For merchants, it’s critical to understand the Cardholder Data Environment (CDE), which includes all the systems and processes involved in handling your customer cardholder data. This includes everything from network devices to POS terminals. To meet security standards like PCI DSS, which are required for handling payment card data, merchantes often turn to Payment Application Data Security Standard (PA-DSS) service providers or use tokenization methods. These help simplify compliance by providing secure payment solutions that meet the necessary standards. However, ensuring proper configuration and implementation of these solutions is essential. To manage this effectively, merchants should consider hiring a dedicated IT person or subscribing to a service that offers ongoing IT support. This ensures that they stay compliant and their customers’ data remains secure in the long term. Additionally, merchantes can find a list of PA-DSS compliant application vendors on the PCI SCC website for trusted solutions.

Imagine you’re the owner of a restaurant and you’ve hired a cleaning service to keep your kitchen spotless. Just because you’ve hired them doesn’t mean you can forget about cleanliness altogether—it’s still your responsibility to make sure they’re doing their job properly. Similarly, when it comes to PCI DSS compliance, if you use a service provider (i.e an acquiring bank or similar) to handle certain aspects of your payment processing, you can’t just pass the buck and assume they’ll take care of everything. You need to actively monitor their compliance with PCI DSS standards to ensure your customers’ payment data stays safe.

Now, there are two ways your cleaning service can show they’re doing their part. They can either conduct their own annual assessment to prove they’re meeting PCI DSS requirements and give you evidence of this, or they can participate in your own PCI DSS review when you request it. Whichever option they choose, it’s important for both parties to clearly outline which services are covered by the assessment, what specific requirements are being met, and who’s responsible for what.

If your cleaning service does their own assessment, they should provide you with enough evidence to show that they’ve looked at all the necessary areas and are meeting the standards. This evidence might come in the form of reports or documentation, depending on your agreement with them. Just like how you’d want proof that your kitchen is getting cleaned properly, you’ll want assurance that your service provider is keeping your payment data secure. 

Let’s break down PCI DSS compliance into three simple steps

Assess – First, you need to identify where all your customers’ payment data is stored, whether it’s on your computers, servers, or anywhere else. Think of it like taking inventory in a warehouse—you need to know exactly what you have and where it is. Then, you’ll look for any weak spots that could make this data vulnerable to hackers.

Repair – Once you’ve found any vulnerabilities, it’s time to fix them up. Just like patching up a leaky roof or repairing a broken lock, you’ll need to secure your systems and processes to make sure your customers’ data stays safe. This might involve updating software, changing passwords, or even getting rid of unnecessary data storage.

Report – Finally, you’ll need to document everything you’ve done to assess and repair your systems, and submit compliance reports to the right people. This is like handing in your homework to your teacher—it shows that you’ve done your part to keep your customers’ data secure.

To make sure you’re doing everything right, you can get help from qualified assessors approved by the PCI SSC. These assessors can guide you through the process and make sure you’re meeting all the requirements. Think of them like expert advisors who can help you navigate the complex world of PCI DSS compliance.

If things go wrong!

Imagine your store accidentally leaves the back door unlocked overnight. Even if nothing is stolen, you’d likely call a locksmith (PCI Forensic Investigator) to check for any vulnerabilities and reinforce the lock (remediation steps). This security assessment comes at a cost, ranging from a few hundred pounds for a small shop to thousands for a larger store. Additionally, your insurance company (card schemes) might impose a penalty for not having a proper lock (non-compliance with PCI DSS). However, if the locksmith confirms your deadbolt and alarm system were functioning perfectly

In addition to the forensic investigation costs, the card schemes are also able to impose fines which are typically around £15,000 for a small merchant but can run into the hundreds of thousands for larger merchants. However, if the investigation finds that the merchant is PCI DSS compliant, notwithstanding the data breach, then the merchant will not be subject to any card scheme fines.

Notable fines

A 2020 cyberattack on DSG Retail Limited’s point-of-sale systems exposed personal data, including payment card details, of 14 million individuals. This resulted in a £500,000 fine from the ICO, highlighting the importance of PCI DSS in securing payment card information and the ICO’s firm stance on classifying Primary Account Numbers (PANs) as personal data.

Warner Music Group faced a significant cyber threat in late 2020 when Magecart, a conglomerate of hacking groups specializing in online payment data theft, targeted their systems for three months. During this period, payment card information, including card numbers, CVV codes, and expiration dates, was compromised. Magecart typically exploits vulnerabilities in third-party software within the supply chain to intercept customer data during transactions.

In 2013, Target suffered one of the most notable breaches of PCI DSS compliance, resulting in the exposure of 40 million credit card numbers. Despite having robust security measures in place, Target’s systems were infiltrated by malicious actors who exploited vulnerabilities in their defenses. This breach, which persisted for three weeks, led to significant financial losses for Target, including substantial settlements and legal fees.

Adobe encountered a major data breach that affected 38 million customers, with three million also having their credit card records stolen. In response, Adobe provided credit monitoring services to affected customers and faced regulatory fines totaling $1 million across multiple states. The breach underscored the importance of robust cybersecurity measures to protect sensitive customer information.

Heartland Payment Systems, a prominent payment processor serving 175,000 merchants, fell victim to a breach via SQL injection. This breach prompted Visa and Mastercard to revoke Heartland’s processing privileges for 14 months and resulted in substantial compensation payments totaling approximately $145 million. The incident highlighted the critical need for robust security protocols, especially for entities handling sensitive payment data.

Equifax experienced one of the largest data breaches in history, affecting over 143 million Americans and exposing a vast array of personal information, including social security numbers and credit card details. The fallout from the breach led to a $425 million settlement to address claims of identity theft and fraud. Additionally, other notable breaches include those suffered by Ticketmaster, and Marriott International, each resulting in significant fines and damages, underscoring the importance of stringent cybersecurity measures and compliance with PCI DSS regulations.

What should your payments provider be doing? Expect nothing less!

A strong partnership between a Key Account Manager (KAM) and a salesperson, catering to different sized businesses, is crucial for ensuring optimal PCI DSS compliance. The KAM, focused on large retailers, should be a trusted advisor interceding or facilitating the technical teams, an overarching figure supporting the identifying of potential security vulnerabilities and tailoring solutions to the client’s complex IT infrastructure.

For smaller businesses, your salesperson acts as a PCI DSS champion, educating you on the regulations and recommending user-friendly compliance tools. In both cases, a direct line of communication with the payment service provider’s (PSP) dedicated PCI department is essential. This ensures prompt access to expertise, clear explanations of compliance requirements, and streamlined resolution of any PCI-related issues.

Accepting nothing less safeguards the merchant from hefty fines and reputational damage in the event of a data breach. A strong partnership between a Key Account Manager (KAM) and a salesperson, catering to different sized businesses, is crucial for ensuring optimal PCI DSS compliance.

Disclaimer: This guide offers general information on PCI DSS compliance for retailers. While the information is compiled from various sources (hyperlinked for your reference) and the author’s industry experience, it is not a replacement for professional legal or security advice specific to your business. To ensure your merchant account remains PCI DSS compliant, we highly recommend consulting with a qualified professional for tailored guidance.

london, willis building, reflection-3529954.jpg

This Article is brought to you by

Loopline Media

Catch up with the Author

Facebook-f Twitter Linkedin

Subscribe Now to Get Regular Updates

Search

Post-Brexit: data protection
Card processor sends sensitive data to wrong address
24 August 2022

Worldline SA subsidiary Payone GmbH has been accused of breaching data protection rules after it sent sensitive employee payroll information to the wrong address by accident. The Worldline Group holdS a 60% stake in the Frankfurt based company who have a small UK market presence.

In June 2021, one of Payone GmbH’s ex UK employees (the data subject) received a “potential data breach notification” from the firm advising him that his salary, National Insurance data, nationality (Special Category Data) was amongst various bits of information sent to an incorrect home address.

This included personal information such as the former employees name, age and address.  It also included details such as the date of birth and the amount of annual work bonus he received in his bank account amongst other identifiable data.

Payone GmbH confirmed that this document was sent out in error following an employee making a mistake when re-entering data processed by their third-party payroll provider.  The error arose when the employee was fulfilling an Article 15 GDPR request. The error was spotted by the data subject when he noticed in an email version of the document that the postal address was incorrect. An attempt to notify Payone GmbH of the error went in vain as the document was already irretrievably despatched.

The data subject was alarmed with the incident which exposed him to the possibility of fraudulent activity, amidst reasonable fears his data could end up on the dark web and used by criminals.  Habitually resident in the UK he complained to the Information Commissioner’s Office (ICO) in June 2021. He similarly raised the concern in Germany via The Hessian Commissioner for Data Protection and Freedom of Information (HBDI).

The ICO reprimanded Payone GmbH for the error in their final decision letter.
Similarly, the HBDI cited a violation of Article 5(f) of the General Data Protection Regulation (GDPR) relating to integrity and confidentiality.

The ICO stated in their July 2021 findings that Payone GmbH, “should take steps to ensure that all personal data records are accurate and up to date. Holding inaccurate information, such as addresses, does increase the risk of personal data breaches and poses risks to the security of information”.

The HBDI confirmed in their October 2021 findings that Payone GmbH had taken remedial action. They concluded that a monetary fine would not be imposed on Payone GmbH as they had taken technical and organisational steps in response to the data breach. Data subjects could now request their data in an autonomous portal.

The GDPR, which came into effect in 2018, gave the Information Commissioner’s Office greater powers to tackle data breaches. The new ‘UK GDPR’ charts its own course after Brexit whilst seeking to maintain EU GDPR adequacy.  In extreme scenarios, organisations face penalties of up to £20m or 4 per cent of their global worldwide turnover, whichever is more.

In the years prior to GDPR, the ICO fines were capped at £500,000.

The data subject said: “I am just glad I spotted it; they were going to resend the document again to another wrong address. Prior to Brexit the process would have been commenced via the ICO who in turn would liaise with the HBDI on the data subjects’ behalf; but I found myself communicating with both authorities separately which was an additional step but in the end was surprisingly
effective. Unfortunately, Payone GmbH again sent my incorrect address to the
Workers Pension Trust in January 2022, and documents yet again went to the wrong address. In my opinion they have not learned from the first time and my complaint is sitting with the ICO yet again”.

The former employee is pursuing a remedy under Article 82 UK GDPR via
the Court’s of England & Wales.

Extraordinary Experiences

Click edit button to change this text. Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Click edit button to change this text. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.

Our Core Values

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.
  • Locavit liberioris possedit
  • Diremit mundi mare undae
  • Spectent tonitrua mutastis

We use cookies to improve user experience and analyse website traffic. By clicking ‘Accept’, you agree to our website’s cookie use as described in our Privacy Policy.

Accept
Decline
Accept
Decline