Is Your Retail Business Ready for the PCI DSS Challenge?
The Payment Card Industry Data Security Standard (PCI DSS) was introduced in a bid to secure cardholder data.
Mike Bielinski, CEO of Vodat International, a provider of managed IP telephony, managed networks and data services, advises retail companies in the UK to work with accredited experts to help them through PCI DSS compliance, and to avoid the hazards and pitfalls on the way.
PCI DSS secures cardholder data that is stored, processed or transmitted by merchants and processors. The standard specifies 12 requirements for security, technology and business processes, and reflects most of the usual best practices for securing sensitive information. This can seem daunting especially for smaller retailers who have no existing security processes.
PCI DSS was almost ignored when it first came along. UK retailers found that their time and resources were taken up just to become Chip and PIN compliant. Many retailers were also led to believe that Chip and PIN technology was the final answer to resolving card present fraud problems. Consequently the deadline for becoming PCI DSS compliant was pushed out and the retail industry viewed it as an unnecessary cost on their balance sheets. The fact is that retail companies are aware that PCI DSS compliance is required in their businesses, or they will be liable for security breaches and subject to fines or even orders to cease using cards in their trading.
Although some companies may have felt that they didn't take enough credit cards to be compliant, the legislation is required for any business that accepts payment cards in the UK, even if the quantity of transactions is just one. Small retail businesses should look to work with expert PCI DSS consultants who make the transition affordable and secure, allowing them to concentrate on running their retail operations.
Counting the Cost
At a time when the financial markets have placed the UK economy in an unstable position it is important that retailers are able to concentrate on what they are good at - selling and marketing their goods to consumers. Retailers do not want to get bogged down in legislation and compliance. They need to concentrate their efforts on their day-to-day activities.
The small to medium sized retailers cannot afford to be throwing money at ensuring compliance and by working with an expert in this field it can make the process easier, removing any unnecessary headaches.
Right now, businesses do not need to employ expensive PCI DSS experts and consultants and they want to reduce their capital spend. Some retailers have seen PCI DSS costs spiral out of control with charges up to £1,500 a day for a consultant's time.
Retailers need to reduce their capital spend rather than working with a consultant where costs can become a grey area. If companies work with a company such as Vodat that promises to deliver through a fixed fee agreement then they can monitor and prepare costs. This is turn will allow them to increase their own productivity and also avoid a long drawn out process in meeting compliance requirements.
Assessing the Situation
The PCI council has set out a number of documents to help retailers assess what level of compliance they require and in most cases, it is possible to complete one of four (A, B, C and D) levels of Self Assessment questionnaire that will provide self certification. It is crucial that the level is defined as the difference between them has a significant effect on cost; in particular the difference between C and D represents some 80 controls and 200 questions with the biggest impact on cost being that for level D you must complete external penetration tests.
But beware - a supplier is either on the PCI list or they are not - "compliant ready" means nothing in the PCI world and even if they are on the list, it is how you as the retailer implement their systems into your own processes that will be assessed for your overall compliance.
UK retail companies should look to use technology in the compliance process that will help them save both money and resources. E-learning packages can take on the training aspect of PCI DSS. The process can be interactive and sent out to staff to assess any gaps in their knowledge. Going forward companies will see great value in completing their self assessment questionnaire via an e-learning package, rather than having to fill a form in. E-learning tools can allow retailers to concentrate on their core expertise and allow a retailer to check at the click of a button that their business and staff are up to date with changes.
Reaching the Required Standard
Retailers may also want to consider working with a supplier whose PCI DSS certification is underwritten by the International Security Standard ISO27001 qualification.
This is a much broader standard which is also about the attitude of staff towards security. Consumers are concerned about the data a retailer holds and there have been examples of breaches over the last year or so. Likewise, retailers need to be assured that their data is secure at the point of entry and also the point it leaves the business.
Retail companies do not have to hold the data on their network if they work with a trusted provider and many experts can now provide back-up for disaster recovery situation, which offers greater resilience. This is important for tier two retailers who want flexibility that can match their demands and this level of security can help increase a retailer's confidence.
Be Prepared
The harsh reality remains, that the onus is on retailers of all sizes to comply with the PCI DSS regulations and it is UK retailers who face the cost of non compliance - not their suppliers.
The bottom line for any British retailer is the cost of becoming compliant versus the risk of not being compliant in the event of a security breach in any of the processes (including those of their suppliers) of taking payment through to settlement.
Working with expert PCI DSS consultants who have gone through the compliance process themselves, and on a fixed fee basis could help you reduce your costs to a minimum and not jeopardise your long term business plans or your customer data.
For more information about Vodat International's PCI DSS compliance solutions for retail businesses in the UK, please call us today on 0161 406 1820 or contact us by e-mail.
Added: 14/07/2009 16:54:15
