Remember when the General Data Protection Regulation (GDPR) legislation hit in the UK? Well, it came out in May 2018, and firms are still struggling to come to terms with it. There are big names out there who’ve been hit for six with the big stick that is GDPR – Google to name but one. Another standard causing a similar headache for firms, especially retailers, is the Payment Card Industry Data Security Standard – PCI DSS. This is an even earlier standard poking its head over the parapet in 2006.
For 17 years, can you believe it, PCI DSS has been a hot potato, but it appears to be getting hotter. A recent report from telecoms giant Verizon showed that compliance with PCI DSS declined for the third year in a row. The quote from the report was – “In 2019, from the total population of organizations assessed on PCI DSS compliance, only 27.9 per cent of organizations achieved 100% compliance during their interim compliance validation.” Why is this a worrying number for the retail sector?
Some big names have fallen foul of PCI DSS combined with GDPR. Step forward ‘The World’s Favourite Airline’ – British Airways, who has had a fine worth millions slapped on them by the UK Information Commissioner’s Office (ICO) for a personal and financial data breach.
Quite apart from the PCI related fines, which even for small companies could total between £4000 to £80000 per month, the reputational damage could be just as bad. Who wants to buy from a firm where your card details and personal information could be lifted and punted over to the dark web for auction?
As the pandemic has brought new challenges and added complexity to the payment world for retailers, Nick Horne, sales and commercial director at Suresite, explains why 2021 should be a wake-up call for retailers ignoring PCI.
Dealing with PCI DSS
So, how should firms deal with this standard in a timely and secure manner? Because full compliance with PCI DSS is much more than simply using a PCI-approved secure point of sale device.
There are 12 requirements that retailers should follow to be compliant, from protecting your systems with firewalls through to documentation and risk assessments. However, under each of those requirements are many different subsections, so if someone is a fully-fledged merchant, there are 330 controls across those 12 requirements. If I’m a retailer who does face-to-face payments, mail and telephone orders, and also payment transactions over the web, then I have to apply PCI across all three channels – 990 potential control questions. It’s easy to see why that puts retailers off.
The big win is to try to remove the burden for PCI compliance from within the company and buy-in or outsource compliant solutions. If you’re looking at the requirements, it can come across as PCI is all about technology. The truth is, retailers need to start with their own people.
Instead of focusing purely on the technology requirements, I prefer to think of the policy requirements. As an example, especially smaller retailers often don’t consider that there might be lots of different traffic moving across their Wi-Fi network. If the Wi-Fi is unprotected, and they’re using it to process payment card transactions, people might also be using it to access Facebook which is not secure. Retailers should be thinking about policies linked to what can be accessed over your Wi-Fi network.
If I were training somebody in the niceties of PCI, I would show how easy it is to go into the dark web and buy cardholder information. The conversation would probably be, “Have you been breached, because I can buy that information on the deep web.”
PCI compliance – whose responsibility is it?
This is when we come to the hot potato – running around within companies, from one department to another one.
The responsibility for PCI DSS compliance is just like GDPR – the people ultimately responsible are those at the top. Why should the senior leadership team be interested in PCI? It’s because it’s not just a question of a standard, its breach can bring significant business risks.
In the fragmented retail environment, we can ask ‘What does the board look like if you’re only running one site?’ That would be the owner-manager. If it’s a slightly bigger firm, some departments would put the responsibility with finance, because they’d see PCI falling under payments. If it’s a dealer operated site owned by a brand – a format often seen in convenience retail and forecourt – it gets slightly more complex. The key question is ‘who owns the Merchant ID (MID) that the site is using to obtain a payment?’ In most cases, the MID determines who is obligated to be PCI compliant. But the PCI responsibility might be subject to individual contracts and procedures agreed between the dealer and the owner brand.
Lots of firms – wrongly – put it in the hands of the IT department because they look at it as a technology only standard. Very large organisations might have a chief risk officer (CRO) – but ideally, the person accountable is whoever is responsible for the bottom line of the company.
Benefits of PCI compliance
It’s not easy to show the tangible benefits of adhering to PCI. A sticker on the door saying that you’re fully PCI DSS compliant is hardly likely to make your customers break into a round of applause. However, as part of wider company communications, showing customers that their data is safe helps build trust and a market-leading position.
Large companies in trouble with PCI make the headlines, and it’s not the type of PR any company would want.
When it comes to smaller retailers, word-of-mouth can quickly show its powers. Let’s compare two local convenience stores. If you knew that one of them had a problem – whereas the other looked efficiently run – you’re more likely to go to that one.
There is a business benefit to a retailer doing the right thing, and I’d use the words ‘duty of care’ here. You do this because it’s the right thing to do rather than being forced to do it.
Challenges of the pandemic
The big challenge here is that cash is frowned upon, so a bigger percentage of transactions will be done by card. Also, a record 62% of debit card payments last August were contactless, according to UK Finance.
Cash was already on its way out, as public bodies – Transport for London for example, require you to pay for Oyster cards online or through their specialised ATMs. Or taking fuel as another example, as a result of the pandemic, many people are visiting forecourts more frequently, paying contactless for smaller amounts of petrol and essential groceries.
This will affect retailers who are borderline for the number of transactions they do annually, so the increase in the volume of transactions could put them up a level on the PCI scale.
As smaller independent retailers are trying to cater to the new, increased demand from customers, they might be now also taking telephone orders which they didn’t do before – and that in itself opens up another channel where PCI compliance is mandated.
As a final thought, it’s important to say that it takes a single card payment, in-store, online, over email or telephone, and any retailer can be fined if not compliant with PCI. Retailers big and small should think hard about the consequences and the potential business risk that could be brought upon them if they continue to stick their heads in the sand – especially now, when the added complexity which comes with new payment methods increases the chances for a breach and to fall foul with PCI DSS.
By Nick Horne, sales and commercial director, Suresite