PCI DSS compliance for retailers: What you need to know

By Mandy Pattenden, Marketing Communications Director

The rise of omnichannel retail in recent years means that retailers and merchants of all sizes must now be prepared to meet their customers wherever they are – whether it’s in their store, on the phone, or in any number of digital channels such as their website, mobile app, social media account, web chat or text message. Operating in any and all channels can potentially add a new layer of complication for retailers when it comes to maintaining strong data security and regulatory compliance, while still delivering a unified and positive customer experience. However, becoming an omnichannel retailer is no reason to sacrifice security, compliance or usability. With the right technologies and strategy, retailers can succeed at all three.

What is PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) is a set of guidelines for payments processors, retailers, merchants and any business that accepts, processes, stores or transmits payment card data. The guidelines are designed to help keep consumers’ sensitive data safe and secure from theft, breaches and abuse. It is a global security standard and governs every aspect of a business that directly or indirectly touches payment card data including back-office processes, point-of-sale (POS) hardware and software solutions, as well as all phone-based and digital channels that a business operates in.

Under the latest PCI DSS standards, retailers and other businesses that interact with payment card data must:

  • Build and maintain a secure network and systems, including firewalls to protect cardholder data
  • Protect cardholder data when stored and in transit, such as by using encryption techniques
  • Maintain a vulnerability management program, including keeping all systems applications protected against malware
  • Implement strong access control measures, including restricting physical and digital access through authentication and “need to know” measures
  • Regularly monitor and test networks, security systems and processes
  • Maintain an information security policy that addresses data security requirements for all personnel.

Although the PCI DSS is generally accepted around the globe as the benchmark for protecting payment card data, it is technically an industry standard and not a regulatory requirement. As such, the PCI Security Standards Council does not have the authority to assign fines for non-compliance. However, the five major global payment card networks (Visa, MasterCard, American Express, JCB International and Discover) can hand down fines ranging from $5,000 to $100,000 per month to the acquiring banks that are responsible for processing a retailer’s payments. The acquiring bank, in turn, typically passes those penalties along to the non-compliant retailer in the form of higher transaction fees and service charges. If the retailer continues to fall short of compliance, their ability to accept credit cards at all may be revoked.

PCI DSS compliance is falling… even though security risks are increasing

Achieving compliance with PCI DSS can be complicated and costly, which is perhaps why the number of businesses that are able to achieve full compliance keeps dropping. According to Verizon’s most recent Payment Security Report, only slightly more than a quarter of businesses were fully PCI DSS compliant in 2020, and compliance has been steadily decreasing every year since 2016.

This is concerning news during a time when cybersecurity attacks, phishing attempts and digital credit card skimming attacks targeting retailers have all increased. The COVID-19 pandemic caused consumers’ use of digital and phone channels to grow exponentially, but if retailers are not keeping customer data secure as they make purchases through these channels, they risk suffering a data breach that could be potentially devastating for their brand reputation. In a survey of 6,000 consumers, a full 69 percent said they would avoid doing business with a company that had suffered a data breach, even if it offered a better deal than competitors.

Making PCI DSS compliance easier

Fortunately, it doesn’t need to be difficult or costly for omnichannel retailers to achieve PCI DSS compliance across all their channels and purchasing processes. One of the most effective ways to simplify PCI DSS compliance is through de-scoping technologies that keep cardholder data out of the retailer’s network systems, applications and business infrastructure in the first place. Semafone’s Cardprotect Voice+ and Cardprotect Relay+ provide a simple and cost-effective way to reduce the burden of compliance while creating a frictionless customer experience across all channels.

Using dual-tone multi-frequency (DTMF) masking technology, Cardprotect Voice+ enables retailers to take payments over the phone, without ever touching, processing or storing the payment card data itself. Cardprotect Voice+ segregates and encrypts the sensitive payment data and routes it directly to the payment processor – keeping it out of the retailer’s network infrastructure, CRM systems and other applications. Similarly, Cardprotect Relay+ enables retailers to conveniently accept payments through any digital channel and securely route it directly to the payment processors, so that the data never touches the retailer’s network systems or applications.

By keeping sensitive payment card data out of the business infrastructure in the first place, Cardprotect Voice+ and Cardprotect Relay+ reduce the scope of compliance for retailers – significantly decreasing both the cost and complexity of meeting and maintaining compliance with PCI DSS. At the same time, both solutions provide a simple, seamless and satisfying customer experience across all touchpoints. Best of all, they minimize the retailer’s risk of suffering a data breach or being the target of a cyberattack because the retailer is no longer holding or transmitting highly sought-after payment card data.