Retail: Feeling the New Year hangover?

Retail: Feeling the New Year hangover?


Author: Craig Armstrong

Black Friday and the Boxing Day sales have been and gone, and retailers could be forgiven for breathing a sigh of relief and pausing to take stock.

However, the payment card schemes and merchant acquirers are likely to be less accommodating if your business has failed to implement PCI DSS 3.0 which became mandatory on 1 January 2015 (although a handful of requirements remain solely best practice until 1 July 2015 when they too will become mandatory).

But what are the risks of non-compliance to a retailer? From a contractual perspective it is worth noting that the retailer's merchant acquirer will have ensured that it can pass down to the retailer any PCI DSS non-compliance fines imposed by a card scheme. Perhaps of even greater concern, the financial impact of a security breach on a retailer's reputation can be far more significant. A recent poll revealed 45% of US credit and debit card holders are likely to avoid retailers that have been affected by a data breach in the last year (bad news for the likes of Target and Home Depot!).

Yet despite these risks, Retail Week reported prior to Christmas that as many as 9 in 10 retailers have failed to achieve compliance without remediation work and overall levels of compliance remain less than 40%.

The key messages in PCI DSS version 3.0 are education awareness, making the security steps 'business as usual', and security as a shared responsibility. New requirements that should be noted include:

  • Implementation of a penetration testing methodology and perform penetration testing to verify that segmentation methods are operational and effective
  • Maintain an inventory of system components which are in scope for PCI DSS
  • Improved training and oversight of point of terminal devices to reduce tampering and theft

As always, retailers should discuss security with service providers to ensure that they have secured their systems appropriately. For example, web and database servers should be hardened to disable default passwords, settings and unnecessary services.

Where appropriate, software should also conform to Payment Application Data Security Standard (PA-DSS) requirements and we find that this requirement is often overlooked when new software and cloud based-services are being procured.

PCI DSS 3.0 can be obtained from the PCI Security Standards website, here.

Perhaps the slow period of late January provides an ideal opportunity to verify compliance?


This document is for informational purposes only and does not constitute legal advice. It is recommended that specific professional advice is sought before acting on any of the information given.