Retailers continue to fall victim to data breaches. Over the past five years, giant corporations like Target, eBay, Home Depot and Wendy’s have lost millions of dollars from cyberattacks.
Retail organizations experienced nearly three times as many cyberattacks as those in the finance sector, according to a NTT 2015 Global Threat Intelligence Report. The sector had the most attacks per client of any industry and the total number of cyber-assaults on the retail market peaked in 2015, according to a report from Dimension Data.
These numbers prove that many organizations lack the security expertise and dedicated internal resources to design and maintain a data security and compliance program. Just one attack can be costly, particularly when it involves a breach of credit card information. These types of incidents often include fines levied by Visa, MasterCard and other credit card companies, charges associated with investigating the source of the breach and costs associated with reissuing cards, reimbursing banks and repaying the actual losses.
Most individual card brands require retailers to undergo an annual assessment to validate compliance with the Payment Card Industry Data Security Standard (PCI DSS). But this question is often asked: Why aren’t the PCI DSS compliance validation requirements the same for all merchant sizes?
It is not uncommon for organizations going through an assessment for the first time to be confused about their merchant level and validation type. Here are a few tips to help merchants:
1. Validate your merchant level: Merchant level is a system of ranking based on the number of transactions a merchant has per year and includes four levels. The levels are used to determine the amount of risk a retailer has and the appropriate amount of security required to protect it. Use your transaction and data breach history to define your merchant level. After your merchant level is defined, determine your validation type by completing the PCI Security Standards Council self-assessment questionnaires.
2. Define the scope: Defining the scope of the PCI DSS assessment is at times confusing and difficult. Spending the time and effort to properly define the scope for PCI compliance should be the first step in every organization’s PCI compliance process. These efforts can save time and money in subsequent PCI-related efforts. If the scope is too broad, costs are excessive. If the scope is too narrow, the assessment is incomplete.
3. Work with an expert: While most companies are not required to work with a security consultant, it is highly recommended that companies verify their validation type and scoping approach with a certified QSA before proceeding.
4. Avoid storing data: The best way to protect consumer cardholder data is simply not to store the cardholder’s name, ZIP code, the card’s expiration date or the contents of the magnetic stripe on the back of the card. If you don’t need it, don’t keep it.
5. Join a sustainment program: Now that I’m compliant, how do I stay that way? Sign up for a sustainment program to help monitor compliance throughout the year so that your system is as secure as it can possibly be.