In 2011, retailers are challenged with understanding the Payment Council Industry’s (PCI) version 2.0 of the Payment Card Industry Data Security Standard (PCI DSS) and the Payment Application Data Security Standard (PA-DSS). Version 2.0 was published in October 2010 and effective Jan. 1, 2011. Retailers have until the end of 2011 to become fully compliant, allowing time to understand and implement the new requirements, and provide feedback to the council. Chain Store Age spoke with Brad Fick, president, Direct Source, about PCI compliance and the new standards.
What has been the main area of focus for retailers trying to ensure PCI compliance in the store?
Securing customer data is a main focus for PCI standards. The hardware technology installed, how the customer data from each piece of hardware is processed and how the retailer handles data determines industry compliance. For example, at the point-of-sale (POS), retailers have access to a large amount of customer data through payment terminals. According to the PCI council, a retailer cannot hold the information for an extended period of time, so procedures and processes for handling customer information are constantly changing to keep up with industry standards.
Many retailers used the last two years to make sure all installed payment terminals were PCI-compliant by the triple des (TDES) mandate, a high level of security for payment terminal encryption. Some retailers were able to keep existing hardware in place and focus on an encryption upgrade. However, since hardware must also meet PCI standards, some retailers also had to replace legacy payment terminals. Any retailer with a security breech after July 1, 2010, without TDES on the payment terminal, was responsible for all associated costs and fines.
How is version 2.0 different from past PCI standards?
Version 2.0 does not introduce any new major requirements, and the majority of changes are modifications to existing language. Even so, version 2.0 is designed to provide greater clarity and improved understanding of the requirements to make adoption easier.
What are the key changes?
Key revisions reinforce the need to thoroughly understand where cardholder data resides before conducting a PCI DSS assessment. They encourage organizations to adopt a risk-based approach when identifying and addressing security vulnerabilities, and let businesses consider specific circumstances and tolerance to risk when assessing vulnerabilities.
The revised standard incorporates previous PA-DSS guidelines, in order to simplify the compliance process for small retailers. Finally, updates promote more effective log management in securing cardholder data by requiring that payment applications facilitate centralized logging.
Many retailers continue to struggle with meeting compliance deadlines. Why should retailers take steps now to comply?
The new version illustrates the council’s goal to make PCI compliance a simpler and more easily understood process. By the end of 2011, version 2.0 will become the only legal guideline for PCI compliance, so retailers should be embracing the changes now.
Are there other considerations retailers should take when beginning the process?
In addition to assessing how these changes affect the store environment, retailers need to look at corporate campuses, distribution centers and warehouses. Any network connection point can also house a security breech. Technology solution providers and partners need to advise clients of these sites when planning PCI updates, and retailers need to keep them in mind when future-proofing sites.
Since PCI standards change so often, retailers have little time for planning and deployment once they find out they are not compliant with new standards. If a partner or solution provider can stay up-to-date on the latest technology standards, it provides a huge return for customers. An investment in the latest technology helps to make sure retailers are headed in the right direction and don’t get stalled with pricey and time-consuming compliancy issues.
Information on the updated standards was taken from the PCI Council’s website. To access the new data security standards, go to pcisecuritystandards.org/security_standards/documents.php.