According to Visa, 97 percent of U.S. events occurred at small merchants, and 91 percent of those were brick and mortar merchants.
It is common fact that merchants often underestimate the financial impact of a breach. In the US, the average direct cost is estimated at $80,000 per location for Level 4 merchants, and can reach into the millions with more extensive breaches against large merchants. Direct costs include mandatory forensic audits, credit card replacement, fees and fines, but do not include potentially significant revenue loss resulting from damage to brand and reputation.
Nearly every instance will be the result of non-compliance with the Payment Card Industry Data Security Standard (PCI DSS). While compliance with PCI DSS doesn’t guarantee that a retailer won’t be a victim, it significantly reduces the associated cost and risk.
Generally, businesses are aware of the importance of PCI compliance, but many lack the essential governance and controls required to fully achieve compliance against the broader PCI DSS 3.0 requirements. This is often due to common misconceptions as to what the requirements are and who’s responsible and the set once and forget approach of previous PCI DSS requirements.
Implementing commercial controls and RACI’s across the common six misconceptions between payment related 3rd parties significantly reduces the risk of data breach and the resulting impact to their business. Understanding the information flow and responsibilities at all times serves to ensure business changes will be able to effectively adapt with effective audit and risk controls for continued compliance.
Misconception #1: Assuming someone else is responsible for PCI Compliance
Some merchants assume that PCI somehow doesn’t apply to them, or that their POS vendor or processing bank has them covered. The fact is, PCI DSS is solely the responsibility of every merchant who accepts card payments. Consider how PCI DSS came about in the first place. Credit card companies and processing banks originally absorbed the costs associated with cardholder data theft. As that theft increased, they created the PCI Standard to shift the burden to merchants, who are in the best position to put controls in place.
This means that today, any breached merchant who can’t demonstrate 100% compliance must cover breach costs. However, if the merchant can demonstrate compliance, the bank is responsible for covering breach costs.
Misconception #2: Throwing technology at the problem
Many merchants believe that having a firewall, secure network, PCI-compliant POS system or other security technology in place ensures compliance, but those measures address only a portion of PCI DSS requirements. Equally important are the policies and processes outlined in PCI DSS, such as demonstrating that all cashiers have completed formal security awareness training upon hire and annually, and that every employee has read and understood the company security policy and procedures. Processes and procedures matter for the simple reason that technology alone isn’t capable of complete protection against any form of crime – human vigilance is also necessary.
Misconception #3: Racing through or not completing the Self-Assessment Questionnaire (SAQ)
In working with retailers, and in particular small to midsize companies, the SAQ is often a checklist task that’s completed by individuals who don’t have a full understanding of what is asked. Completing the SAQ accurately and consistently is essential to identifying and closing gaps in PCI compliance. As with most aspects of PCI compliance, rather than “going it alone,” retailers should consider reaching out to experts for support and answers to questions.
Misconception #4: Viewing PCI compliance as a periodic event
SAQs, scans and Reports on Compliance (ROCs) are all periodic events, but maintaining compliance with PCI DSS is not. Retail IT environments are constantly changing, and IT organisations need to consider the impact of any change or addition to IT infrastructure such as the introduction of Wi-Fi or mobile technology in stores. Thorough enforcement of policies and procedures also requires ongoing training of employees. An ongoing program will also set retailers on the path to supporting the new PCI DSS 3.0 standard, which emphasises a proactive, business-as-usual approach.
Misconception #5: Insufficient scope
Scope doesn’t stop at POS systems. It includes all system components located within or connected to the cardholder data environment, including systems that are hosted or managed by third parties.
The first step of a PCI DSS compliance effort is to accurately determine the scope of the environment. Once that is accomplished, you can work with vendors to explore technologies and procedures that can limit scope, such as MPLS WAN, firewalls and threat management, secure remote access and secure Wi-Fi and network segmentation.
Misconception #6: Lack of financial protection
Compliance focused merchants do all they can throughout their operations to eliminate threats to their businesses, and also insure themselves against the unexpected in general liability, property damage, business interruption, professional liability and more. Merchants who haven’t already done so should consider a data-breach insurance policy as well.
Why? Because there’s no such thing as 100 percent security. Retail IT environments often change, creating new entry points for hackers. Breach protection is available for as little as $1.00 per day per location, and can cover costs associated with a breach such as a forensic audit, fines and card replacement.
Make sure you’re PCI Compliant
Regardless of how you approach PCI, tap into BTM GROUP for expertise to make sure you’re taking the right steps to validate, achieve and maintain compliance.