Retailers are frequently asking RMS the question – “What does a small-to-medium sized business have to do in order to satisfy the PCI DSS requirements?”
It is such a frequently asked question because most retailers understand that if they lose credit/debit card data through a data breach and they are not PCI DSS compliant, then they are likely to incur Card Scheme fines for the loss of this data and may be liable for the fraud losses incurred against these cards and the operational costs associated with replacing the accounts.
In addition it’s likely that their customers may also not want to do further business with them.
Because these consequences can be huge, we decided to ask this important question, and others, to BC Technologies LLP who provide PCIDSS compliance expertise to businesses in a range of sectors. Their role is to take the distraction of IT technology away from a retailers business so that the retailer can concentrate on achieving business targets. We spoke with John Orr and the following is a summary of our conversation.
Q. PCIDSS – what is it?
A. Most retailers who take card payments whether through rented or owned terminals will be aware of Payment Card Industry Data Security Standard or PCIDSS for short. The objective of PCIDSS is to reduce fraud and the theft of sensitive data by tightening up the procedures that surround the use of cards and the transaction process. When card fraud occurs any subsequent investigation will focus on this.
Q. How does it work?
A. Compliance to PCIDSS is undertaken by self-certification. The retailer is required to fill out an online questionnaire which is designed to probe into those aspects of its IT network and card handling processes that could be vulnerable to data theft and fraud. If the processes are good and the retailer understands the questions then they will pass the compliance test. This means their risk of fraud and data theft is managed to an acceptable level. Through the questionnaire they will become aware of the need to manage and document the processes involved when their business takes a card payment. Because card fraud and data security takes place in a technical environment the questionnaire is both complex and jargon laden.
If a retailers answers fall short then their business is found to be non-compliant. At that point they need to address the non-compliance issues.
Q. What does non-compliance mean for a retail business?
A. Put simply it means that some aspect of their card payment set up is not as secure as it could be and that they are vulnerable to fraud and data theft. Non-compliance has to be rectified and they may be liable to fines and possibly even termination of their card payment service.
Q. Who is responsible?
A. The retailer is! The questionnaire has to be signed off by a senior manager in company. The sign off binds them to quarterly review and annual re certification.
Q. Is this just an Annual Commitment?
A. Yes and No – The sign off includes an undertaking to keep compliance under review every three months in addition to the annual questionnaire.
Q. Scope – this term pops up, what does this mean?
A. In order to deal with the assessment the retailer needs to consider the various points that are touched by their payment system i.e. the Scope. Does the card reader share the Wi-Fi that is offered to customers? Is the reader in any way linked to other computers or devices in the business’ network? If the retailer operates on-line, how do they organise the storage of transaction data? Is the website secure? Who amongst the retailers staff has access to any transaction related data? Have the staff been vetted and trained in card payment and anti- fraud procedures? All these touch points fall within the scope of the payment system and the PCIDSS questionnaire.
Q. Is it possible to reduce the Scope for an easier and more secure life?
A. Bear in mind that in order to manage the card payment process the retailer needs to have a written policy to cover each touch point. If they have a policy then they need to document how they review that policy. So not only do they reduce their risks but they reduce their workload if they can keep their scope narrow.
Many retailers will use payment systems which run through on-line portals or chip and pin systems. The PCIDSS will perform tests on a retailers website to determine security. The retailer would be responsible for checking that their card machine is not tampered with or stolen. At the other extreme there are businesses taking card details by phone. The opportunities for fraud when card details are taken by phone are immense. Are details written down? By whom? Are the staff trained and vetted, where and how is that data stored, who has access to? Is it securely destroyed?
These simple questions will all require a process and policy. Just like Health and Safety the retailer needs to have a policy, procedures and a log to demonstrate that their PCIDSS compliance is reviewed and updated. You can see that defining Scope is critical both to security and to the resources required to achieve compliance.
Q. How can a small retailer easily deal with PCIDSS compliance?
A. The system exists to reduce to reduce the risk of fraud and delaying or ignoring compliance is simply extending risk. The time and effort involved in dealing with PCIDSS can be burdensome and given the consequences of fraudulent activity it makes sense to outsource the know how to achieve initial compliance. When a retailer starts in the right place they can then take on the ongoing reviews from a position of knowledge.
Q. Where can a small retailer get other PCIDSS compliance questions answered?
You can Freephone RMS today on 0800 138 0050 or complete our on-line enquiry form to speak with one of our dedicated team. Either way, we look forward to helping you with the EPoS needs of your growing business.
You can also follow RMS on Social Media for all the latest information on the benefits, features and great deals on EPoS Hardware.