With the threat of customer data breaches always looming, Kevin Burns highlights the importance of Payment Card Industry (PCI) compliance in minimizing this risk, and how businesses can best adhere to its regulations
Customer payment data is vulnerable and under constant attack. In fact, Verizon found that almost three-quarters of attacks on the retail and hospitality sector are linked to customers’ card payment information. Many such attacks have hit the headlines, with the likes of Kmart Sears and Staples investigating issues.
According to IBM/Ponemon Institute research, the average cost of a breach is £2.21m per company, a figure that has increased by 8% since 2013. Although this could be financially damaging to the retailer, the real cost of a data breach will be the loss of customer trust, and the subsequent lost revenues. Yet, despite all these risks, the retail industry invests the least money in securing its customer data when compared to other industry sectors.
Payment Card Industry Data Security Standard (PCI DSS) compliance was designed to minimize these risks, but there’s still a lot of reluctance and confusion from retailers when it comes to putting it into action. SagePay research reveals that just 38% of businesses are currently compliant. Furthermore, only 27% of retailers claim to fully understand the PCI requirements and how these can be adhered to, a statistic that I’m sure many consumers would find concerning.
Additionally, Cisco/Verizon found that even when an organization gets through the PCI DSS and becomes compliant, many fall into the trap of forgetting that they need to maintain a programme of security throughout the year, with only one in nine passing the next annual assessment without the need to remediate.
To P2PE or not to P2PE?
The long awaited arrival of Point-to-Point Encryption (P2PE) appears to have only heightened the confusion surrounding PCI compliance. Despite often being hailed as the Holy Grail for PCI scope reduction, there are many pitfalls that retailers must consider before they decide to go down this route. For one, the cost of implementing P2PE will often be far higher than any retailer will anticipate, and even more expensive to remove should it not work out for them.
And as it’s quite inflexible, often designed for specific hardware, the chances of retailers ultimately finding that the solution doesn’t quite fit is quite high to begin with. However, the main issue is that it’s almost counter-productive for the retailer or business in question, designed to take data security responsibility away from them. And although this often makes it an appealing option, the whole effectiveness of PCI compliance is based on the retailer’s ability to manage its own security responsibilities.
Although P2PE is a well-known option for reducing scope, it is by no means the only option, or indeed the most effective. There is an alternative means of reducing PCI scope, one that will prove far more secure, affordable and manageable for the retailer in question.
Retailers could instead invest in a solution that removes the sensitive information from the network altogether, using network isolation that separates the Chip and PIN terminal from the Point of Sale, a move that will make it far more difficult for a hacker to obtain. Allowing a third party to take responsibility of this will ensure that they are delivering ten out of the 12 PCI DSS requirements. Even for the remaining two, PCI compliance scope is significantly reduced and far easier for the retailer to sustain – avoiding many of the constraints of implementing against the P2PE Instruction Manual (PIM).
Businesses have been urged to ensure that their people, processes and systems are fully PCI compliant for over a decade now, which perhaps explains the sense of fatigue many now experience at the constant pressure from vendors to make the move. However, the reason this pressure is continuing to mount is that retailers really are running out of time if they want to ensure their business adheres to the standards – PCI PTS v1.x PIN Entry Devices, for example, are no longer compliant. Whilst this does not constitute an immediate fail it does need discussion with your acquirer – the same acquirer you might well have been avoiding due to your lack of compliance.
It becomes a bit of a vicious circle, especially if no one within the business ‘owns’ the problem. It could be a perfect storm when considering that XP end-of-support has hit and the natural upgrade is likely to force hardware upgrades or replacements for most retailers.
Doing little or nothing should no longer be an option and waiting for the silver bullet is not a valid excuse.
About the Author
Kevin Burns is Head of Solution Architecture at Vodat International. Formerly at BT and BT Expedite, Kevin is a well-respected member of the payments industry specialising in retail IT and security including Point of Sale, EFT, OLA and PCI DSS