PCI Compliance Challenges for Small Retailers

Cybercriminals are targeting smaller retail merchants for credit card information theft.  Large national retail brands make headlines when their systems are breached, but smaller merchants often prove to be vulnerable targets, largely due to weak protections around point-of-sale systems and card handling procedures.  The Payment Card Industry (PCI) Security Standards Council (SSC) was established to enhance the security controls and procedures for businesses and service providers that store, process and/or transmit cardholder data.

Depending upon the number of transactions processed, small merchants are required to have appropriate PCI compliance measures in place and may be asked by their bank or third-party payment processor for compliance reporting.  If the annual volume of transactions is high, then merchants may be required to undergo a compliance assessment with a third-party PCI Qualified Security Assessor Company (PCI QSAC).

What does this mean for your organization’s compliance obligations? If you process payment card transactions, you must be aware of what PCI compliance requirements apply to your organization and understand necessary compliance and reporting requirements.

DHG has compiled a list of common challenges and recommendations for getting started with PCI compliance or validating that you are maintaining PCI compliance.

1.       Understand the Cardholder Data Environment and Data Flows

Are you aware of all the methods in which your business is accepting payment cards?  Knowing what methods of how your business is accepting payment card data is necessary to determine your PCI reporting requirements. Additionally, knowing what assets are associated with payment card transactions can help limit the scope of PCI compliance and minimize the scope and costs associated with PCI compliance.

2.       Document Policies & Procedures

There are many policies and procedures that need to be documented to meet PCI DSS compliance obligations. The PCI compliance requires that security policies and procedures be documented and approved by management.  Documenting these procedures is not only best practice for managing data security but helps those evaluating your PCI compliance understand what is expected to be discussed during your walkthroughs.

3.       Perform a Risk Assessment

Performing a security-based risk assessment around cybersecurity infrastructure is necessary for PCI compliance and many smaller retailers struggle with conducting a thorough assessment of cyber risk. The risk assessment process is designed to clearly define the risks associated with accepting payment cards and, more importantly, where risks are high and need attention. The identified high-risk areas and mitigating controls should be documented with tracked remediation plans until the risk is mitigated.

4.       Vulnerability Scanning & Penetration Testing

Technical assessment is often an overlooked requirement of PCI compliance.  Vulnerability scanning is the automated scanning of IT systems designed to identify configuration vulnerabilities, while penetration testing is a manual simulation of a cybersecurity attack in your organization’s systems. Both are critical to identifying common vulnerabilities that could lead to data theft. Some organizations fail to remediate identified vulnerabilities, leaving their systems exposed to hackers. Technical assessments must be performed, and high-risk issues should be remediated as soon as possible.

If you need help understanding your compliance obligations or assessing your environment to determine your PCI reporting requirements, please reach out to a DHG Technology Advisory professional.

References:

ABOUT THE AUTHORS

GET IN
TOUCH
© Dixon Hughes Goodman LLP. All rights reserved.
DHG is registered in the U.S. Patent and Trademark Office to Dixon Hughes Goodman LLP.
praxity