How Retailers Can Reduce Risk and Ease PCI DSS Compliance

How Retailers Can Reduce Risk and Ease PCI DSS Compliance

The retail industry is one of the most targeted industries for cyberattacks and data breaches. In fact, research shows that retail suffers more data breaches than the financial services, insurance and hospitality industries. Cybercriminals and hackers target retailers because they know they can easily get their hands on consumers’ personally identifiable information (PII), especially payment card data.

As a result, we’ve all witnessed the headlines for large-scale data breaches at top retailers such as Target and Home Depot, which have negatively affected millions of consumers. These breaches have costly repercussions for retailers, who end up paying fines, legal fees and remediation costs – not to mention the incalculable damage to their brand reputation, the lost sales due to reduced customer trust and often the dismissal or resignation of many executive staff members.

Fortunately, there are steps retailers can take to improve data security and reduce their risk of becoming the target of a breach. A great place to start is the framework and security best practices laid out in the Payment Card Industry Data Security Standard (PCI DSS). Applicable to any organization that accepts payment card data, PCI DSS is organized into six distinct categories with 12 broad requirements, outlining more than 400 security controls that every merchant must implement to achieve compliance. Failure to comply can result in fines ranging from $5,000 to $100,000 per month. In extreme cases, the payment card issuer can even entirely revoke the merchant’s ability to process card transactions.

Technologies for Simplifying PCI DSS Compliance

Complying with the PCI DSS may initially seem daunting, but retailers can ease compliance by reducing the number of applicable PCI controls throughout their organization. Known as “descoping,” this process can significantly cut down on the amount of technology and network infrastructure considered “in scope” of the framework, leading to an overall much less costly and simpler compliance process.

Descoping begins with reducing the amount of sensitive information – including payment card data – that an organization processes and stores. For example, PayJunction’s solutions help retailers reduce the scope of compliance for PCI DSS at the point of sale (POS) by using a cloud-based EMV terminal. This setup allows merchants to run payment cards without ever having to store, transmit or process cardholder data.

But retailers must not limit their data security and compliance efforts to only their POS systems. As the industry has moved to the more secure EMV-enabled chip cards and terminals, cybercriminals are shifting their focus to other channels where card-not-present (CNP) transactions take place, such as call and contact centers. Often deemed a “low-hanging fruit” by fraudsters, retail contact centers saw fraudulent activity nearly double in 2017. So, how can these customer interaction hubs address this issue?

What Is DTMF Masking?

Retailers can reduce the scope of compliance for PCI DSS in their contact centers by using dual-tone multi-frequency (DTMF) masking technologies. These technologies enable customers to make payments over the phone while obscuring the payment card numbers from the agent on the line and from call recordings, which can be breached.

With these solutions, customers simply enter their card number and card verification value using the telephone keypad and the touch tones (DTMF tones) are replaced with flat tones. The card data is encrypted and securely routed to the Merchant Service Provider, never entering the contact center’s infrastructure. As a result, the retailer reduces the scope of compliance with PCI DSS and minimizes risk.

While this technique effectively conceals the card information from the customer service representative, some DTMF masking solutions allow agents to remain on the line, speaking with the customer to help with any issues that may arise. Unlike interactive voice response systems, this approach ensures strong data security without compromising customer experience.

Additional Security Best Practices

Relying on new technologies alone to secure your contact center is not enough to stop today’s devious cybercriminals and fraudsters. In addition to using secure POS terminals and DTMF-masking solutions in their call and contact centers, retailers should adopt the following best practices:

  • Regularly train staff on proper security procedures for handling sensitive data, including payment card data. Make sure staff know how to spot a cybersecurity threat or fraudulent transaction when they encounter one.
  • Only work with trusted third-party vendors and partners who make security a priority and understand how to comply with all relevant regulatory requirements.
  • Look for ways to minimize risk. Whenever possible, reduce the amount of sensitive data you collect or store, and try to keep it out of your business infrastructure entirely. After all, criminals can’t steal data you don’t store.

Why Comply With PCI DSS?

Ultimately, it’s in a business’s best interest to comply with the PCI DSS because of the tangible benefits it provides. First and foremost, implementing the security controls listed in the PCI DSS framework can reduce a retailer’s risk of experiencing a data breach. Using firewalls and encryption, as well as prohibiting the storage of cardholder information not only makes it harder for hackers to break into an organization, but also reduces the amount of sensitive data accessible in the event of a breach.

Additionally, implementing a PCI DSS compliance program helps an organization cultivate a mindset of strong security among employees. The robust framework of the PCI DSS includes self-assessment exercises that each merchant must complete, which is a great way for an organization to honestly examine its current practices and determine where improvements can be made.

Lastly, and perhaps most importantly, complying with the PCI DSS helps retailers better protect their most important assets: their customers, employees and brand reputation. Thus, avoiding the reputation-damaging headlines associated with a data breach is essential to maintaining a positive brand image and maintaining customers’ trust. By implementing technology solutions to minimize the amount of sensitive data they handle and store, while following industry best practices, retailers can minimize risk and reduce the cost and complexity of compliance.

Moving to the cloud?

LEARN HOW TO SELECT THE BEST PROVIDERS

About the Author

Tim Critchley is an experienced director of technology start-ups in both product- and service-focused sectors. He has been the CEO of Semafone since 2009 and has led the company from a U.K. start-up to an international business that spans five continents. Under his leadership, the company has secured global partnerships and won clients across a range of industry sectors including major brands such as AXA, BT, Capita, Harley Davidson, Next, Rogers Communications, Santander and Sky. Prior to joining Semafone, Tim was COO at KnowledgePool Group, the U.K.’s leading provider of managed learning services, where he helped complete a successful turnaround in three years. Tim graduated from the London School of Economics and holds an MBA from Manchester Business School.

About PayJunction Contributor

PayJunction welcomes writers in the merchant services, cloud, security and mobile spaces to contribute to its blog!

Comments