Canadian Retailer - Summer 2011 - (Page 34)

| PCI COMPLIANCE Ten Things Every Retailer Needs to Know ABOUT PCI DSS By Frank van Nie, Principal, Smart Strategies he security breach at Sony Corporation’s networks in April of this year, which resulted in the theft of personal information from as many as 100 million customers, has once again put the spotlight on information security and PCI DSS (Payment Card Industry Data Security Standard) compliance. While compliance may not be simple to achieve for many within the retail industry, the importance that it represents with respect to consumer privacy and the securing of personal information is paramount. If you are a retailer that accepts cards for payment, here are ten things you need to know about PCI DSS as it relates to the protection of cardholder personal information: 1. If you accept credit cards from customers… You are required to be PCI DSS compliant. There are no exceptions. If you are breached, you will be required to show evidence that you validated compliance on an annual basis. (Interac has its own security standards, separate from PCI DSS.) 2. Requirements for proving compliance are set by the payment networks… Merchants are divided into “levels” which determine validation requirements. These levels and requirements vary by payment network, volume of credit card transactions and business model. You should know your “merchant level” for each network. However, acquirers may also set their own validation requirements that are more stringent than those of the payment networks. Validation requirements may be as simple as completing a Self-Assessment Questionnaire (SAQ). On the other hand, you may find that you need to hire a Qualified Security Assessor (QSA) to perform a review of your systems and/or have a vulnerability scan completed by an Approved Scanning Vendor (ASV). Note that if you are doing business in more than one country, volumes from both countries may need to be combined to determine your level. 3. PCI DSS compliance is not just an IT project… Paper imprints must also be physically secured. Similarly, if data is recorded in chargeback processes, it must also be protected where it is stored. 4. Understand your payment process… ...and determine where you may be collecting and storing data. Sara Van Vlymen, Manager of Payment System Risk at TD Merchant Services with responsibility for the bank’s PCI DSS compliance activities, says that her number one piece of advice to merchants is to “document your payment process and ask every person or department that may handle card data where and how they use it. Ask once, twice and then a third time.” When a breach occurs at a merchant that believes it is PCI DSS compliant, the occurrence is often in a part of the system that was overlooked during review. 5. Credit card information storage… The best approach is to not store credit card related information. However, you also need to ensure networks that send data during a transaction are protected since you can’t avoid using card information here. And, says Van Vlymen, “Don’t forget old data or records. Current transaction receipts may mask part of the card number, but ones from a few years back may not. Systems may have been updated, but there could still be old archived data that is not protected.” 6. If your service provider processes payments on your behalf… You are responsible for ensuring that it is compliant. If there is a breach, you are responsible. Put PCI DSS compliance as a requirement in your contract with the service provider, and make them responsible for compensating you for any penalties in the event of a breach and get proof of validation annually. 7. If you use third party software… Use a version that is Payment Application – Data Security Standard (PA-DSS) compliant and make sure that you have followed all implementation recommendations from your software provider to protect cardholder data. 8. Compliance is not a one-time event… “Achieving compliance is a very positive first step, but it’s important that merchants realize that maintaining PCI compliance is an ongoing, 24/7 responsibility,” according to Michael D’Sa, Head of Payment System Security at Visa Canada. Non-compliance may be just one bad system or process implementation away. Every time you change systems or processes, you need to consider PCI DSS requirements. 9. Implementing Chip and PIN (EMV) technology does not eliminate the need for PCI DSS validation. While EMV improves security, it does not eliminate T 34 | canadian retailer | summer 2011 |

Table of Contents for the Digital Edition of Canadian Retailer - Summer 2011

Canadian Retailer - Summer 2011
Publisher’s Desk
Shop Talk
Mobile Retail
Leadership Series
In Your Best Interest
Sector Spotlight
Retail Innovation
LP Roundtable
LP Technology
PCI Compliance
Technology Leadership
Training and Education
Advertisers’ Index
Have Your Say

Canadian Retailer - Summer 2011