PCI Compliance And The SMB Retailer

By Erin Harris, associate editor

PCI compliance is on the minds of retailers for many reasons, primarily because nothing is more important than keeping your customers' payment card data secure. SMB retailers, specifically, are concerned about the 12 PCI DSS (Payment Card Industry Data Security Standards) requirements. That's because SMB retailers run the gamut between small mom-and-pops, with one dial-up POS terminal, to huge brick-and-mortar operations with high speed lines, leaving some of these retailers wide open for hackers.

Verizon recently released its second annual Payment Card Industry Compliance Report. This report is based on findings from more than 100 PCI DSS assessments conducted by Verizon's team of PCI qualified security assessors in 2010. A key finding to the report is that compliance has neither worsened nor improved, as only 21% of organizations were found compliant at Initial Report on Compliance (IROC).

Late last week, I spoke to Jen Mack, director of global PCI consulting services at Verizon, about what retailers, specifically SMRs, can do to achieve and maintain PCI compliance. Mack suggests that SMRs take the Prioritized Approach, (a PDF available for download at www.pcisecuritystandards.org), which helps retailers identify and reduce risk to cardholder data and ease the annual PCI process by breaking it into digestible milestones. The PCI Security Standards Council has a microsite for SMB retailers (www.pcisecuritystandards.org/smb), which is a great resource for small merchants. The Council also offers a "Quick Guide," which is a PDF available on the microsite. The guide is designed to help you make sense of the PCI DSS version 2.0.

I also asked Mack what's next for PCI compliance and what retailers should do to prepare. "The DSS standard was just updated in October 2010," says Mack. "As it is on a three-year update life cycle, no major changes are expected until 2013. However, merchants should keep an eye out for updated guidance and clarification documents on the new technologies that continue to emerge. The PCI SSC and its Special Interest Groups and Task Forces continually research these new technologies and provide guidance to the industry."

Mack explains that just recently, release guidance was provided on the following areas: wireless guidelines, tokenization guidelines, mobile application FAQ, virtualization guidelines, prioritized approach updates for DSS 2.0, EMV environments, telephone call data, and finally, there was also an initial release of the P2PE requirements. This guidance should be reviewed and factored into the your go-forward strategy when you're thinking about the next year and changes you are implementing, as well as how you can continue to reduce you cardholder data footprint.

Remember that PCI DSS compliance is an ongoing process, not a one-time event. You'll need to continuously assess your operations, fix any vulnerabilities that are identified, and make the required reports to the acquiring bank and card brands with which you're doing business.