Achieving payment card data security in the retail sector
Article

Achieving payment card data security in the retail sector

BSI
BSI
Staff
5 Oct 2021

The payment card industry data security standard (PCI DSS) is the global retail standard for securing payment card data.

It's a set of security controls managed by the PCI Security Standards Council (PCI SSC), and developed by a body of experts from the international payment card brands (VISA, MasterCard, JCB, AMEX, and Discover) to help prevent credit card data breach.

This data security standard provides a set of requirements to help protect cardholder data, taking into consideration the people, processes, and technologies involved in payment card processing systems. It focuses on security management, policies, procedures, system configurations, and secure software design.

PCI DSS in the retail sector

PCI DSS in the retail sector is often portrayed as a complex and painstaking endeavour. 

However, payment processing models, technologies, and the payment standard itself is constantly evolving, as are the ways of achieving compliance. There are methods to de-risk your cardholder data environment (CDE) from card breach and in doing so, the burden of compliance activities is also reduced.

It is no longer correct to think of retail as being traditionally brick and mortar based, eCommerce has been with us for so long that the eCommerce channel can now be the precursor of a physical presence and in many cases generates a greater proportion of revenue than physical stores.

Nonetheless, from a PCI DSS perspective, locations, systems, processes, or people that store, process, or transmit cardholder data (CHD) are in scope for PCI DSS. This means that often eCommerce, back-office functions, and physical retail stores are in scope for PCI DSS.

Why should the retail sector care about PCI DSS?

The answer is simple:

  • Your organization is extremely likely to have signed a contract with your acquiring bank, mandating that you will be PCI compliant

  • Hackers continue to target the retail sector, and retail sector data (particularly eCommerce) is a rich source of data for hackers

Typical attacks observed over the past number of years include a focus on retail, and cover the following attacks:

Physical stores

  • RAM scraping malware – targeting POS

  • Physical card skimmers on card readers

  • NFC based skimmers

eCommerce

  • Traditional application layer attacks resulting in a backend database breach

  • eSkimming – focusing on eCommerce checkouts

  • Remote access attacks on the production networks using combinations of phishing, credential compromise, and password stuffing

Knowing how to store and manage the security of payment card data in line with regulations does not have to be complicated and time-consuming. Our tailored BSI Knowledge subscription service provides flexibility, access, visibility, and control over the standards and insights your team needs to remain compliant and build trust with your customers. Request to learn more.

Who does PCI DSS compliance apply to?

Compliance with the PCI DSS standard is mandatory for all organizations that store, process or transmit payment card data, as well as any businesses that may impact the security of a credit card processing environment, such as hosting companies, software developers, and managed service providers.

Acquiring banks and international payment card brands may directly request an organization to demonstrate compliance with the standard. That's where we can help, by providing you with an independent validation of compliance to PCI DSS.

There are benefits to being compliant, and drawbacks to non-compliance.

The drawbacks of non-compliance include fines, which if left unmanaged can range from 2-6 figures per month per violation. However, if you are compliant at the time of a breach you can avail of safe harbour, i.e. you will not be subject to fines for breach of card data.

Fines for a breach are significantly different from fines for ongoing non-compliance and depending on the scale of breach/cards stolen, fines can run into millions of dollars. The organization can also be forced to shut down card processing operations until the breach is contained and the source of the breach remediated.

The most common areas which contribute to successful breaches are poor patching regimes, insecure identity and access management practices, and bad software development practices.

Download your copy of the PCI DSS standard today.

The key cybersecurity standard

Since its inception in the early 1990s, global information security standards have grown in rigor and recognition.

So too have information security threats and the best ways to manage them.

Standard BS EN ISO/IEC 27001 helps you implement a robust approach to managing information security (infosec) and building resilience. It advances cybersecurity processes, to protect the data of your students and educators alike and also helps you to continually review and refine the way you do this, not only for today but also adapt for future innovations. This standard reflects current best practices for information security management.

It provides specific recommendations to help you establish an Information Security Management System (ISMS), monitor its performance, and implement improvements when necessary. It also enables external assessment and certification of an organization’s information security.

This standard is not unnecessarily prescriptive, allowing great flexibility in how requirements are satisfied and giving organizations the freedom to implement requirements in a manner best suited to your retail organization.

If you’re involved with information security and understand the need to step up your organization’s approach to information management, shop the BS EN ISO/IEC 27000 series of standards today.

Share
Share this article with your network
Share
Share this article with your network