Management overview

Although it is several years since the Payment Card Industry Data Security Standard (PCI DSS) was introduced in the US, it is only now that the UK's mid-sized retailers are coming under serious pressure to comply. However, the compliance requirements deadlines are often unclear, and banks sometimes appear to be inconsistent with both deadlines and the associated threat of fines or penalties. While some retailers are involved in court battles to obtain compliance extensions and avoid fines, others have had little or no contact with the banks and are almost oblivious to the PCI issue.

But no retailer can afford to ignore the implications of PCI compliance for much longer. Failure to comply with the standards exposes a retailer to two types of liability:

• The contract with the card issuer provides for substantial penalties and, more significantly,
• Retailers are subject to "charge-back" liability for damages suffered by the card issuer as a result of a data breach.

These losses sustained by card issuers include not only the fraudulent charges made on the accounts of the victims of identity theft, but also the administrative costs associated with the issuance of new cards to customers whose personal information may have been compromised. As a result, these costs can be significant. Add in the damage to reputation associated with the loss of customer card details, and the long term implications of a breach could look bleak.

So what options are available to medium sized fashion & lifestyle retailers for achieving PCI compliance?

One route is to buy pre-packaged components - such as handheld Chip & PIN devices and off-the-shelf web payment gateways - that are already compliant. However, whilst this simplifies the compliance process it can also constrain the business. Many retailers, particularly the larger ones, have worked hard to achieve an integrated multi-channel business model. Adopting these simple, separate payment systems can be a retrograde step which takes retailers back to a less integrated business model, or prevents them moving toward one.

Separate pre-packaged payments systems (at store, on the web and for mail order) make reconciliation more difficult and will introduce more opportunity for error. Without an integrated payment gateway, a business cannot easily deliver the seamless multi-channel service that all fashion retailers aspire to. For example, customers buying online may find funds taken from their account before the goods are despatched; a customer contacting a call centre to ask for a partial credit may get an inferior service because there will be no clear visibility of payments across channels; and at the store Chip & PIN devices that are not fully integrated with the Point-of-Sale are slower, less reliable and more complex to operate and maintain. Furthermore, they are unlikely to support capabilities such as Stored Value Cards, Gift Cards, loyalty systems, tax free shopping etc.

Larger retailers have known for a long time that a single, end-to-end approach to the card payment environment means better customer service, lower merchant rates through a single acquiring bank, better reliability and improved speed and traceability.

On the other hand, for a small or medium size fashion retailer, gaining a compliance certificate for an integrated payment system can look expensive and time consuming. The retailer might reasonably ask whether retaining these business benefits is worth the expense. The cost of a PCI consultant to undertake a gap analysis and advise on the remedial work required, followed by the implementation of all the necessary changes - both technical and in terms of business processes and security - can run into 100,000s. It is therefore no wonder that some retailers are thinking of ditching their integrated solutions in favour of simple but less effective, pre-approved devices.

An alternative is to work with a vendor like Prologic, with integrated multi-channel solutions that are already embarked upon a level 1 PCI compliance process for the entire end-to-end suite. With this approach, the onus is on the vendor to ascertain the underlying software, hardware and wide area network components required to gain and maintain PCI compliance. This model not only ensures that retailers retain the benefits of an integrated multi-channel strategy but also have a fast track, low cost route to PCI compliance, not just today but for the future where an integrated approach to multi-channel trading will become ever more important.

A key point is that PCI compliance is not a one off event. It is part of a continuous process of hardening and tightening payment security. Retailers will have to undertake a self-assessment audit annually, and therefore opting for un-integrated pre-approved devices to achieve approval this year is delaying the inevitable - and compromising business performance at the same time.

It is by working with a vendor that is committed to delivering an end-to-end, PCI compliant system, providing an integrated multi-channel solution, that organisations can combine key business needs with a robust, effective strategy for ongoing PCI compliance.

PCI background

As card use has become more widespread both offline and online, and as consumer concern about security has understandably grown, the card industries have made an effort to ensure that sensitive information is protected.

In 2004, the major credit card companies - American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International - formed the PCI Security Standards Council (SSC) and established a set of rules for PCI compliance (PCI Data Security Standard - PCI DSS). The rules, which cover how card data is stored, transmitted and handled, are dependent on the size of a business and the number of card transactions handled.

While retailers may resent the need to comply - especially after investing heavily in Chip & PIN technology only a couple of years ago - recent evidence of security breaches has underlined the need to impose far more security and, critically, robust best practice across the sector. Indeed in 2008, plastic card fraud losses on UK issued cards exceeded 600 million for the first time, up 14% on the previous year, according to Card Watch.

The reputation damage associated with a breach of credit card security is significant, representing a huge business cost. The most well known case is that of TJX - the parent company of TJ Maxx (TK Maxx in the UK) - which announced in January 2007 that its customers had been breached and customer information had been stolen. Estimates of the numbers of customers affected rocketed, with at least 94 million Visa and MasterCard accounts possibly compromised and analysts estimating TJX's costs could run as high as $1 billion, including legal settlements and lost sales. Other high profile breaches include Hannaford Supermarkets, where 4 million records were affected.

More recently, Network Solutions had to admit that malware planted by hackers on servers intercepted more than 573,000 credit and debit card numbers. The breach affected account holders of the company's domain registration and web services, as well as numerous online retailers that utilise the company's hosting and online payment services. As a result, a number of retailers are now having to contact customers informing them of the potential risk, undermining customer trust and corporate reputation.

These incidents reveal just how valuable customer credit and debit card information is to thieves. Indeed, purchasing information is now far more valuable than actual currency since it can be used to run up huge bills for the original card holders, leaving the victims to undertake a lengthy process to restore their good credit rating. Even mid-sized retailers hold 100,000s customer card details and sensitive card holder information - and these organisations are not being responsible about how they manage that data and are putting customers at risk.

Given the cost to the card acquirers of compromised customer card information, it is little wonder they are placing greater pressure on banks to improve compliance levels across the retail sector.

What does PCI compliance involve?

PCI compliance applies to any system component where cardholder data is stored, processed or transmitted, including payment gateways and EFT servers, tills, mail order centres, ecommerce systems, wide and local area networks. As such, retailers need to work closely with PCI experts to understand their specific compliance requirements, which will often require changes to both hardware and software.

Within these six categories are 12 requirements that address particular technical issues and also stress web application security:

1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and applications
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
12. Maintain a policy that addresses information security

At first glance, the PCI requirements listed above may not appear to be particularly lengthy or arduous, but this can be misleading. Each of the 12 requirements has 30 to 40 sub-clauses associated with it, and each sub-clause can be quite difficult to interpret within the context of a particular retail environment.

Generally, the initial process is a business audit carried out by a PCI approved consultant. For a medium size retailer, this might take about five days at around 1,000 per day. This audit will identify at a high level, areas in which the company fails to meet the standards of the requirement - a gap analysis - and include a list of proposed remedial action that will have to be taken before any attempts at PCI self-assessment can be conducted.

This process is key to identifying areas of weakness which can range from inadequate wireless network security in store - the apparent cause of the TJX breach which lasted 18 months - to improper storage of customer data, a lack of encryption or poor HR processes. For example: a retailer will need a configuration document explaining and detailing how each router is configured, who has permission to access that router and who has permission to change it, what protocols are enabled, and what protocols are not enabled - and this process has to be repeated for every router on the network. And there are over 60 similar requirements that can go into an extraordinary level of detail!

Another key area of focus is the way in which retailers store customer data. The standard (DSS 1.2) states that after payment authorisation is received a merchant is not to store sensitive data such as card validation code (CVC), personal identification number (PIN) or full track information. And while retailers are not typically retaining this data with malicious intent, those using older PoS software designed to capture all card data, may well be storing some of this information.

But it is also important to look closely at processes used for managing customer data. It is not acceptable to fax customer details from the branch to head office, to an individual not authorised to take mail order, even if the objective is to deliver improved customer service.

During the audit the PCI consultant will work through the standard systematically, line by line, interviewing people across the organisation from HR to IT. For example, the IT team will be required to explain how the network is configured, what databases, operating systems and software applications are in use, and what level of encryption has been deployed. Talking with HR will reveal employee vetting processes.

Alongside the standard is documentation to explain the standard and guidance notes, while the gap analysis document typically runs to several 100 pages. In effect, there is a massive amount of documentation to work through in order to simply understand a single one of the 12 requirements.

All this is a complex, time consuming operation but it is, in effect, the simplest part of the PCI compliance process. It is once the gap analysis has been completed and a retailer is then presented with a detailed list of remedial action that the big costs begin to materialise. Of course, the compliance issue becomes more complicated for those retailers that have embraced a multi-channel strategy, especially if they are handling card data differently within each channel.

Pre-accredited PCI

By far the quickest and easiest route, which will appeal to the smaller retailers, is to install pre-accredited solutions - such as the stand alone Chip & PIN devices that can be rented from the card acquirer. These devices are PCI approved and can be simply plugged in. However, such simplicity has disadvantages. If the device is not integrated with the till, there is far more room for error as a result of keying information into two separate systems. The system is also slower, taking more time to process each customer transaction. And it is well known that reconciliation issues at head office will sky rocket.

Furthermore, for the multi-channel retailer, these separate solutions compromise the ability to deliver the required integrated customer experience. As a result, whilst the pre-accredited approach can solve the PCI problem quite simply, the business problems become much more significant.

Yet the alternative, working through compliance processes across each retail channel and diverse payment gateways, significantly extends the audit and remediation processes, creating a huge amount of work. And this is not some exciting new technology project that will thrill the IT team; it is hard slog administrative tedium. Many will have to employ external consultants to make those changes, a move that requires a big financial commitment.

So there is a real danger that the cost and complexity of achieving PCI compliance across multiple channels will force some retailers to take a backwards step, get rid of integrated solutions and opt for un-integrated but pre-approved devices simply to achieve a low cost route to compliance. Many will be weighing up which is the lesser of two evils - yes, customer service will suffer and errors will increase, but at least the PCI compliance process will be simpler.

The integrated approach

So what is the alternative? One option is to work with a supplier that is committed to achieving PCI compliance across an entire, integrated business solution. Because the solution has already been audited by a QSA, the retailer's compliance process is far simpler:

Key to this process is consistency - there is no need to reinvent the wheel. The software supplier knows what components are required on each till, what Chip & PIN device and what encryption levels are required across the network in order for a retailer to pass a self-assessment process. The organisation can work with its retail customers before the PCI gap analysis is even undertaken to ensure the infrastructure meets PCI requirements upfront - with key documentation (e.g. documentation required for router configuration) provided as part of the standard solution. The gap analysis still has to look at retailer specific issues such as HR processes and LAN configuration but the bulk of the hardware, software and WAN assessment has already been completed.

This approach enables the retailer to work through the box ticking PCI compliance process quickly and without incurring significant cost. From a customer service and business point of view, this is a solution that minimises the cost of PCI compliance without compromising the quality of service or the value of an integrated multi-channel model.

Conclusion

This is not a one off issue for retailers: PCI compliance requires an annual audit or self-assessment. Indeed, the payment card industry is in an endless arms race with the hackers and fraudsters. As the criminals get ever more sophisticated, PCI and retailers have to up the ante and implement ever more sophisticated security standards.

So opting to retrench today by casting out all the benefits that integrated technology can bring in terms of efficiency and improved customer service may solve the immediate PCI problem. But it is a short term fix that will be at the expense of future business efficiency and customer satisfaction.

Furthermore, it is simply delaying the inevitable. Fashion businesses are moving ever more deeply into integrated multi-channel retailing. Those who have adopted ad-hoc systems to get round short term PCI problems will sooner or later need to reintegrate their systems to compete with the market leaders.

The best of both worlds is low cost PCI compliance without compromising the increasingly important multi-channel business model.