May 15 2018

How Retailers Can Improve Their PCI DSS Compliance

With many retailers still not compliant with payment card data security standards, companies must find ways to protect customer information.

People typically don’t get into retail to be IT experts, says Kathy Troknya, the president and chief operating officer of Learning Express Toys.

The company has 115 franchises, each independently owned and operated by entrepreneurs whose hopes and dreams never revolved around protecting shoppers’ payment card data. But now, they find themselves tasked with complying with the Payment Card Industry Data Security Standard (PCI DSS) — not only to avoid fines from financial institutions, but to maintain the trust of their customers.

“Compliance rests solely on their shoulders,” notes Troknya. “It is very challenging for small business owners to navigate through that and understand all of the compliance rules and guidelines. Our owners are everything all wrapped into one. They’re CEOs, they’re buying departments, they’re accounting, they’re human resources. And then, with PCI compliance, they have to be IT people as well.”

For many retailers, the obstacles to compliance can feel overwhelming — to the point that, until recently, fewer than half of organizations were in full compliance with PCI DSS. However, with the right tools, careful planning and knowledge of the requirements, retailers can set themselves up to not only follow the rules, but to even provide additional security around their customers’ payment data.

“PCI compliance, just like a single security assessment, is a point in time,” says Rocco Grillo, executive managing director of the cybersecurity consulting firm Stroz Friedberg. “When there’s a change to the network, a merger or acquisition or even the standard being updated, it’s a whole other story. That causes frustration to companies. Just because you’re compliant this year doesn’t mean you’ll be compliant next year.”

“There are awesome technologies out there, but technology alone doesn’t solve it,” Grillo adds. “One of the big fallacies is the idea that there’s a silver bullet technology. If you rely on a silver bullet, you’re going to run into a lot of problems.”

SIGN UP: Get more news from the BizTech newsletter in your inbox every two weeks!

How to Make PCI DSS Compliance Manageable

Among best practices and tools recommended by Grillo are network segmentation and tokenization. Network segmentation prevents payment card data from interacting with other IT systems, helping to keep the information isolated and less vulnerable. “If you have to test every system in your organization, it’s almost an insurmountable task,” Grillo says. “When you segment the card data environment, you narrow things down.”

Grillo says that tokenization — a practice that uses nonsensitive values to replace credit card data — “immediately” improves merchants’ security posture. But, he adds, retailers should be wary of viewing any technology as a complete solution to PCI compliance and payment card data security. “If you look at the standard, it’s not just about making the credit card data unreadable,” he notes. “You have to think about people, processes and technology.”

That means planning not just for routine business, but for unexpected events, as well. Learning Express Toys works with a third-party vendor that provides point-to-point encryption (P2PE). The solution not only encrypts payment data at the time the card is swiped, but it also sets the company’s network — and even its point-of-sale system — outside the scope of PCI compliance. Still, Troknya notes, franchisees sometimes have to manually record card numbers when payment systems are down, and they need to devise PCI-compliant processes for these situations.

“Retailers need to make sure they have things in place so that information is secure, or shredded,” she says. “There are instances when [manual recording of payment data] is necessary if your systems are down. It’s about making sure you don’t make small mistakes that are going to cause problems that could end up hurting you in a big way.”

WalletGear, an online retailer of men’s wallets and accessories, uses a solution from Trustwave, which scans the company’s servers and alerts the organization about any vulnerabilities. But, the retailer also takes steps to ensure that payment card data is never stored on the company’s servers in the first place, says WalletGear founder Mike Lindamood. “It is best to outsource your credit card processing to a validated third-party service provider,” he says. “That way, all credit card information stays off of your server. Also, there are e-commerce services that are PCI compliant, and they make all the necessary updates, so you can concentrate on sales.”

Especially for smaller and medium-sized retailers, this combination of simplicity and compliance is key. Part of the reason Learning Express Toys went with its current provider, Troknya says, is because it allowed the company to adopt EMV chip technology without slowing down payment processing — which would have had a negative impact on customer service.

“First and foremost, retailers need to be educated about what their responsibility is,” advises Troknya. “Beyond that, they should work with whoever is providing their credit card processing. I would suggest finding the simplest solution that allows them to operate their business in a way that works for them.”

Retailers Must Think About Security Beyond Compliance

“I know of retailers who were doing everything they knew how to do, and still had a breach,” Troknya warns. “It’s possible to think you’re doing everything correctly, and one little thing could cause a breach. It’s not easy for a company that doesn’t have millions of dollars to invest.”

“Compliance doesn’t give you immunity from being compromised,” says Grillo. He warns that, if a breach occurs when a retailer works with third parties, the merchant is still responsible for the data loss.

Grillo says he’s encouraged to see that retailers are increasingly adopting robust incident response plans to help them recover if hackers are able to breach their systems. “We advise until we’re blue in the face, to go beyond compliance and strive for security,” he says. “Do your due diligence. Compliance has to be the bare minimum. All too often, companies are in the mindset of, you make it past this year, and go to the next year. The more mature companies don’t make this an annual initiative. It’s a 12-month process. You continue the journey.”

Retailers Set the Stage for Customer Data Security

Payment card security issues can arise — and be quashed — anytime between when data is collected to the moment a security breach is spotted. Here’s a look at ways retailers have tended to make their customers’ data more, or less, secure.

Less Secure  More Secure 



 Data is stored, processed or transmitted to, from and within various networked system environments.



 Data is protected through tokenization or strong encryption.



 Data environments allow ingress and egress.



 Authentication controls and isolation of environments and system components prevent compromise.



 Security controls are implemented, but are not monitored and maintained.



 The performance of all controls is evaluated frequently, including through a comprehensive evaluation of the control environment.



 Inherent or residual weaknesses in controls expose system components that allow access to payment data.



 The resilience of the control environment is increased to allow it to “bounce back” from unexpected changes.


Juanmonino/Getty Images

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.