Global Practice Lead - PCI DSS - CSIR Global Cyber, Risk & Advisory Leaders
Article published 2 June 2021
Why PCI DSS is significant for the retail sector and how to achieve compliance?
PCI DSS in the retail sector is often portrayed as a complex and painstaking endeavour. However, payment processing models, technologies and the standard itself are constantly evolving, as are the ways of achieving compliance. There are methods to de-risk your cardholder data environment (CDE) from card breach and in doing so, the burden of compliance activities is also reduced.
In this blog article, we will look at how PCI DSS applies to the retail sector, one that has seen a truly transformative shift since March 2020, and identify the typical risksand challenges faced, as well as how to manage cyber resilience and compliance.
It is no longer correct to think of retail as being traditionally brick and mortal based, eCommerce has been with us for so long that the eCommerce channel can now be the precursor of a physical presence and in many cases generates a greater proportion of revenue than physical stores.
Nonetheless, from a PCI DSS perspective, locations, systems, processes or people which store, process or transmit cardholder data (CHD) are in scope for PCI DSS. This means that often eCommerce, back-office functions and physical retail stores are in scope for PCI DSS.
Why should the retail sector care about PCI DSS?
The answer is simple.
1) Your organization is extremely likely to have signed a contract with your acquiring bank, mandating that you will be PCI compliant.
2) Hackers continue to target the retail sector, and retail sector data (particularly eCommerce) is a rich source of data for hackers. Typical attacks observed over the past number of years include a particular focus on retail, and cover the following attacks:
RAM scraping malware – targeting POS
Physical card skimmers on card readers
NFC based skimmers
Traditional application layer attacks resulting in backend database breach
eSkimming – focusing on eCommerce checkouts
Remote access attacks on the production networks using combinations of phishing, credential compromise and password stuffing
What are the benefits of achieving PCI DSS compliance?
There are benefits to being compliant, and drawbacks for non-compliance. The drawbacks for non-compliance include fines, which if left unmanaged can range from 2 - 6 figures per month per violation. However, If you are compliant at the time of a breach you can avail of safe harbour, i.e. you will not be subject to fines for breach of card data.
Fines for a breach are significantly different to fines for ongoing non-compliance and depending on the scale of breach / cards stolen, fines can run into millions of dollars. The organization will also be forced to shut down card processing operations until the breach is contained and the source of the breach remediated.
Fining structures vary from card brand to card brand, however a good yard stick by which to measure the direct fines is to consider a fine of $3 (USD) for every card number stolen. This increases to $18 (USD) per record where the CVV, Expiry, Name are also compromised.
The most common areas which contribute to successful breaches are poor patching regimes, insecure identity and access management practices and bad software development practices.
How do I achieve PCI DSS Compliance?
1. Identify your card flow channels
In a retail environment, card data will typically traverse your ecommerce site, mobile apps, telephony systems and face to face brick and mortal premises.
2. Determine how many card transactions occur per channel
Ask your acquirer about this as this will affect the attestation levels and type of audit required.
3. Determine whether options exist to descope your network
Typical Options include leveraging iFrames, Redirects, Outsourced Processing, and Point to Point Encryption (P2PE) solutions.
4. Gap analysis
Conduct a gap analysis against the remaining requirements.
Develop an implementation plan to address gaps, and ensure that roles and responsibilities are in place for effective management of compliance into the future.
The final stage, is to attest compliance. The types of attestation depend on the volume of transactions processed per annum and how you process those transactions. Attestation can be either self-assessed or may have to be undertaken by a Qualified Security assessor [QSA].
7. Annual revalidation
PCI DSS attestation is an annual validation exercise, however compliance is a 24/7/365 process, including time bound requirements which must be actioned daily, weekly, monthly, quarterly and annually.
BSIs Qualified Security Assessors (QSAs) can assist retail organizations by advising on scoping and descoping solutions, conducting gap analysis and developing efficient ways to meet compliance objectives effectively, and fully licensed audit and health-check services. We ensure that solutions are in place to meet compliance into the future. All too often, BSI QSAs observe that year one compliance is achievable when backed by a dedicated project, but in year two, without effective governance in place, organizations often fail to meet the recurring controls required to be meet year 1 + n controls.