Does PCI DSS Compliance Affect You?

Cyber Security Everyone's Responsibility

Merry Christmas, I know the season has passed already, but given the recent massive data thefts that have occurred at various retailers, and the misery this has caused both their customers and them, I thought, why not try to cheer everybody up a bit.

You Need a Proven Security Concept

Not Just For Retail Funnels

Besides, I needed a nice segue from what is, arguably, one of the most important stories to pop-up recently, to some business process questions every retailer must ask and answer about transactional security from the POS System (Point of Sale) upwards and how much money they are spending on marketing and then blowing on poor data security practices.

PCI DSS Compliance

Don't Let Consumers Think This about Your Security Standards for Credit Card Transactions

But wait, you say, didn’t I title this blog PCI-DSS something or other?

As a consumer, and we are all ultimately, consumers, I never even heard of PCI-DSS until about six months ago, when I ran a SAP Greenfield implementation at a major retailer in Europe. It is now very clear that PCI-DSS Compliance is mission critical to the business. It's a key element of the solution architecture a retailer needs to have in place in order to securely drive sales.

So what does PCI-DSS stand for and why might you, a consumer, want to know about it?

Payment Card Industry Security Standards Council (PCI SSC)

It stands for Payment Card Industry Data Security Standard and if you have a credit card issued in Europe, you most likely have a chip in your card, whereas, if you have one issued here in the U.S., it probably does not, though there are a few issuers who use them.

Information Security Standard For CC Processing

It provides expert guidance that defines the information security standards that major credit card brands must use to handle transactions to remain in PCI DSS compliance. It also defines the standards and information security procedures and standards that those who accept Credit Cards must adhere to. It is a comprehensive list of Best Practices that should be followed by anyone accepting credit cards and debit cards to help manage risk. If defines methods and procedures for managing critical aspects of customer data, throughout the now often very long lifecycle of that data.

Different PCI DSS Compliance Levels

You should be aware that there are different levels of PCI DSS Compliance, based on a variety of factors, such as annual transaction volume and value.

Level 1
Level 2
Level 3
Level 4

World Class Organizations Meet or Exceed These Standards

Each of these levels requires various levels or elements that must be met in order for the merchant to work with different payment processors. It also affects the financial arrangement that affects merchant accounts and their associated payment processors.

What the Experts Have to Say

I asked one of my Senior SAP FICO consultants (who also is an expert with various BPC functions and how retailers are using that solution as well for very advanced financial management functions) why this is and he explained the following to me:

"(Chip and PIN's) main attraction to banks and other financial institutions that issue Credit Cards is the 'liability shift,' which is precluded in the U.S. by Regulation E,"

"This shift means that disputed transactions will be blamed on the customer if a PIN was used and the merchant otherwise. Thus, in theory, the bank would never again be liable. In practice it has not worked. You can't have a secure system if one party guards it and another party pays the cost of failure.“

This "liability shift" has been a "good incentive'" for merchants to adopt chip and PIN.

Such a shift isn't possible in the U.S. because of rules set up under the Electronic Fund Transfer Act of 1978.

This is probably good news for U.S. consumers, since the standard was fully adopted, it's been next to impossible for British consumers to recover money stolen in fraud.”

That last little tidbit, is, to me, of critical importance, having been a victim of Credit Card fraud in the past in the U.S. and ultimately having been made whole by my card issuer.

Major Marketing Opportunity

The marketing opportunity here is for a retailer to make it perfectly clear to a consumer that in addition to taking all possible technical security measures possible to secure their payment processing system, they will ALWAYS make their customers whole in the event of a data breach. In fact, it can and does form a major part of the sales strategy of several big box retailers who rely on the trust of their customers, suppliers and payment gateway providers.

As an Hubspot Consultant and Inbound Marketer, I could see several possible pieces of content one might want to generate and reuse constantly to assure consumers that their credit card/debit cards are safe to use in the stores:

Define what security standards are required to be met by the store, and prove, and reprove that the retailer meets these standards.
Though not all that exciting, feedback information to the consumer each time you pass a security audit of your PCI-DSS via multiple communication channels.
Go well beyond European standards for the protection of personal data, and make sure every consumer is aware of exactly what personally identifiable data is being stored by the retailer, and allow them the opportunity to correct or delete it at any time, at no cost.
Loyalty Management System. As almost every retailer, indeed, anybody that sells anything, is moving toward a loyalty management system, and by extension, is collecting massive amounts of personal data, then the previous statement becomes even more critical to accomplish.

In the name of transparency, and this is not easy, show where the consumer’s data is actually used in your system, and this goes well beyond the marketing function.

It touches logistics and finance in a wide variety of areas you might not initially think about.

Remember, loyalty managements systems help you drive conversions at ever lower cost. It also provides a data foundation for use in your high performance analytics systems. Your internal sales team members can use this information to analyze current Inbound Sales and Marketing Campaigns as well.
Provide complete transparency to consumers on every party that will touch the credit card transaction, including the bank and payment gateway provider.
Secure all network connections. You'll want to create a comprehensive map of the systems, network connections, and applications that interact with credit card data across your organization. Depending on your role, you'll probably need to work with your IT and security team(s) to do this.
Access Security. Track and monitor all access to network resources and cardholder data. Regularly test security systems and processes. Restrict access to cardholder data to business need to know.
Lockdown Wireless Access Points. Test and inventory wireless access points, do quarterly vulnerability scans and monitor traffic, among other things. Have a policy on information security. That means writing, publishing and disseminating a policy at least once a year that lays out usage rules for certain technologies and explains everyone's responsibilities.
Anti Virus Software. Ensure all antivirus software is kept up to date, across all digital devices. All systems including the workstations, laptops, and mobile devices that employees may use to access the system both locally and remotely must have an anti-virus solution deployed on them. Keep your website secure from intruders by using DMZ's, intrusion detection and prevention software, web application firewalls and all plugins and other elements up-to-date.

Keep all operating systems up-to-date. Set browser cache to automatically clear at the end of each session. These can be a surprising source for unscrupulous competitor's to gather both price and cost information intel. It has also been a source of incorrect pricing insertion events. Install operating system monitoring software that is aware of all network present devices and their current update status.

Use a dedicated SSL Certificate (not shared as this is a major SEO issue with Google) as well as dedicated IP address for your website. Google insist on SSL, while you'll need the dedicated IP for delivering transactional emails, which also need to be delivered using network connections that ensure secure systems are used for the entire end-to-end transaction lifecycle.
System Passwords. Do not use vendor-supplied defaults for system passwords and other security parameters. If you are a SAP IS-Retail customer, ensure your BASIS team has changed the administrative access password delivered with the system. This is something this author has checked on numerous SAP project reviews and found issues with it, every single time.

Use strong passwords, two-factor authentication and physical USB security key. Always ensure you have a backup to these methods.

On many projects, outside IT security auditing firms have been retained to test our security and have measure our responses to a series of security recommendations. You should be looking to get a perfect grade on these exercises.
Assign a Unique ID to Each User of the System. Assign a unique ID to each person with computer access including your developer or development team and of course, any SAP consultant you happen to have working on the system. Restrict physical access to cardholder data. Regularly monitor and test networks. Track and monitor all access to network resources and cardholder data. Regularly test security systems and processes.

Develop and electronically distribute standardized templates for the creation of any user. All such templates should be fully in compliance with your overall SOD or Segregation of Duties matrix. While Sarbanes-Oxley is very intrusive regulation, you must still ensure you're in compliance with it where necessary, and this is one of those areas.
Third Party Credit Card Information Storage. Most merchants that need to store credit card data and personally identifiable information about contacts are doing it for recurring billing, which is considered a legitimate business purpose. The best way to store credit card data for recurring billing is by utilizing a third party credit card vault and tokenization provider. By utilizing a vault, the card data is removed from your possession and you are given back a “token” that can be used for the purpose of recurring billing. By using a third party, you move the risk of storing card data to someone who specializes in performing this function.
Don't Store Credit Card Numbers on Payment Pads. In order to ensure Credit Card and Debit Card numbers are never compromised, their numbers should not be stored on the payment device, at any time. All Credit Card and Debit Card information must be encrypted immediately upon entry into your system and during the entire time it is in your system.
When a retailer uses more than one payment gateway provider or bank, if there is a savings, (that is why they have more than one), then provide some of those savings to the consumer.

Use this to inform the consumer, i.e., one more opportunity to communicate. It can also be part of an effective Inbound Marketing Strategy, and a marketing system like Hubspot can help you make full use of this Inbound Marketing Strategy.

Consumer's Must Trust Their Credit Cards

Though highly unlikely, should consumers lose confidence in the security of their credit cards, they will revert to cash only transactions.

Conduct Regular Self Assessment

You will also need to do a self assessment on your internal business policies such as application security. You will need to make sure your e-commerce software is up-to-date with the latest patches. If you have a physical retail store, you will need to make sure your POS system is isolated from your WiFi and maintain a list of wireless access points.

Use Self Assessment Questionnaires for Consistency

PCI-DSS compliance has several different Self Assessment Questionnaires (SAQs) that must be followed to be PCI DSS compliant.

Assessment Tools

These allow you to document both your compliance process system design as well as how you have actually been performing against these industry standards.

Handling Cash Cost Money

Most people believe this is cheaper than a credit card transaction to the vendor, but, as most any large retailer will tell you, that may not be the case, at all.

For instance, if your store is doing 1 million a day in transactions, and 10% of those transactions are in cash, you are handling $100,000.00 of cash, which has to be counted, audited, secured and transported.

Each of those steps has a cost, and they all take far longer to accomplish than an electronic transaction.

Now imagine, tomorrow, that ratio is reversed, and you are doing $900,000.00 in cash transactions and $100,000.00 in credit card transactions.

Handling Cash Increases Business Risks

Your logistics cost just went up, your risk of armed robbery during transport just went up (and your cost of security went up, no doubt), and your ability to squeeze the payment gateway provider commission rate just went way down.

Electronic Transactions Drastically Reduce Friction

You also now have consumers who are a lot less likely to make purchases as they don’t have access to cash so easily and you added a lot of sand in the transactional gears.

Frictionless Commerce It Takes Constant Lubrication To Keep the Wheels of Commerce Rolling!

In short, these massive data thefts are a threat to the economy at the systemic level and may drive your marketing cost way up.

You Need to Get PCI-DSS and EMV Compliant

That is why you need to not only get PCI-DSS and EMV compliant, you need to have a marketing approach that leverages your efforts to secure those transactions at the lowest possible cost and communicate your success in doing this to your consumer.

Use Inbound Marketing to Boost Consumer Satisfaction

You can start by learning more about how Inbound Marketing, (which is usually about 61% cheaper than other marketing means), can help you boost customer satisfaction, especially by providing content that reassures consumers that their Credit Card transactions conducted with your establishment are secure and does not result in any liability being shifted to them which should go a long way toward achieving your Retail Strategy goals.

Download SAP BW Mindmap

Learn what SAP Business Warehouse is and what it does in under five minutes

Lonnie D. Ayers, PMP

About the Author: Lonnie Ayers is a Hubspot Certified Inbound Marketing consultant, with additional certifications in Hubspot Content Optimization, Hubspot Contextual Marketing, and is a Hubspot Certified Partner. Specialized in demand generation and sales execution, especially in the SAP, Oracle and Microsoft Partner space, he has unique insight into the tough challenges Service Providers face with generating leads and closing sales using the latest digital tools. With 15 years of SAP Program Management experience, and dozens of complex sales engagements under his belt, he helps partners develop and communicate their unique sales proposition. Frequently sought as a public speaker in various events, he is available for both inhouse engagements and remote coaching.

He also recently released a book "How to Dominate Any Market - Turbocharging Your Digital Marketing and Sales Results", which is available on Amazon.

View All Articles by Lonnie D. Ayers, PMP