Fri, 6th March 2009

Comment: PCI DSS: Cutting through the compliance

For retailers, the advantages of being able to offer payment by card are obvious.

By Doug Hargrove

For retailers, the advantages of being able to offer payment by card are obvious. Today's consumers are used to being able to pay for transactions using whichever method is the most convenient for them, and facilitating card payments ensures that no sales are lost due to customers not having access to a nearby cash machine. For independent store owners concerned about the encroachment of the supermarkets into the convenience store space, card payment facilities also present a crucial means of staying competitive and maintaining market share.

But as card payment technology becomes increasingly common, the number of data security breaches reported is rising, as thieves develop increasingly sophisticated methods of extracting sensitive payment data. It is therefore important for customers and retailers that stores arm themselves in the best possible way against the threat of a security lapse. The Payment Card Industry Data Security Standard (PCI DSS) rules, which are compulsory for all card-accepting retailers, are designed to achieve this.

Evolving from a number of separate initiatives set out by different card providers, the PCI DSS regulations were introduced in 2004 as a means of identifying the areas in which it is important for security to be maintained, and to clarify the role retailers had to play in ensuring this. An independent Security Standards Council (PCI DSS) was formed to oversee the implementation of these standards, including accrediting Qualified Security Assessors and to advise on any amendments or updates that were to be incorporated.

In theory, the creation of PCI DSS should have spelled the end of any uncertainty over retailers' responsibilities in ensuring the integrity of transactions. However, the reality is one of confusion. Since the introduction of the standards, there have been two revisions, with version 1.2 introduced last October, but it is estimated that still only 10% of transactions in the UK are currently processed on compliant systems.

It is important that retailers who accept card payments are aware that compliance with PCI DSS is a contractual obligation between them and the acquiring bank to protect the security of transactions. Compliance with the standards is not a cast-iron guarantee that a data breach cannot occur, but it does render the retailer free from liability in the eyes of the card providers. By contrast, if a retailer is found to be liable, they face the prospect of incurring a considerable fine, as well as having their right to accept card payments withdrawn.

This is in addition to the high cost of a 'clean up' following an incident, including legal fees and the necessary upgrading of in-store systems, as well as mitigating the impact on customers' perceptions of a store. Following a widely-publicised security breach at TK Maxx's US counterpart, analyst house Forrester estimated that it cost the company up to 0 per customer record leaked to resolve the incident. Such an amount could be enough to bankrupt a smaller retailer.

Whilst larger retailers can employ dedicated in-house staff to ensure they meet the PCI DSS requirements, gaining compliance does not have to be a prohibitively expensive and complex process for independent retailers. Instead, with advanced retail technology, stores can effectively 'buy' in compliance by choosing a solution that has already been assessed as meeting the PCI DSS regulations.

In order to ensure this, stores can work with a technology provider that understands the security requirements laid out in the PCI DSS. Responding to the challenges smaller retailers have faced in implementing the regulations, systems vendors have been able to enlist the guidance of Qualified Security Assessors when designing retail applications. This has enabled them to fully integrate the necessary security processes into the technology used at the point of sale. For example, the automatic end-to-end encryption of customer payment data can be applied as standard, ensuring that, even in the event of a leak, sensitive information cannot be easily read by an outside party.

As well as ensuring the integrity of the technical processes behind transactions, compliant applications can also provide useful support and consultancy for retailers looking to shore up their business processes. One requirement of the PCI DSS is that businesses create unique passwords for applications instead of leaving the default login details active. Compliant retail applications can enforce this by automatically requiring the user to create a new password, for example.

Compliant systems can offer store owners protection and peace-of-mind without the need to spend time and resources on keeping up-to-date with the latest updates to the PCI DSS rules. Instead, technology vendors can offer software updates to ensure the retailer's systems support the most recent version of the regulations, and provide advice on how best they can adapt their business to meet the requirements.

Choosing compliant systems also presents retailers with an opportunity to make additional improvements to bring their operations fully up-to-date with the latest innovations in retailing. Advanced retail technology such as business analysis tools and loyalty systems can help retailers offer customers the best service possible by identifying trends in shopper behaviour and offering customers individualised promotions based on their personal shopping habits, for example.

With a compliant system, the PCI DSS regulations do not have to be a source of worry for retailers. Indeed, stores that can prove to shoppers that they care about keeping their data safe can benefit from increased customer trust and loyalty. With the right technology, it can present stores with an opportunity to boost sales and increase their market share by offering their customers the best possible service.

Doug Hargrove is Chief Marketing Officer at Torex