Retail’s Top Compliance Pain Points and How to Address Them

Benjamin Franklin famously stated there are no certainties in life, except death and taxes. These days it might make sense to amend that statement for businesses, adding compliance regulations to the list of steadfast conditions. 

For companies in the retail sector, one particularly omnipresent regulation is the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS is a standard that some of the largest credit card companies put together to help reduce data breaches related to credit card processing.

PCI DSS encompasses 12 requirements that must be met in order for a company to be considered compliant. According to Globalscape’s Ponemon study “The True Cost of Compliance with Data Regulations,” PCI DSS is ranked #2 among the most complex compliances to achieve, second only to the General Data Protection Regulation (GDPR).

Herein Lies the Retail Rub

PCI DSS is a challenge for all of the industries that use credit cards, including financial services. However, some of its requirements are particularly difficult for retail companies due, in part, to the following factors:

  1. Retailers have a high number of employees, most of whom have personal devices, making it challenging to manage the compliance of those devices.
  2. Because they have large workforces, it is challenging for retailers to get each and every employee to review security policies as part of compliance. 
  3. Retailers often exist on tight margins, so when it comes down to it, making money often takes precedent over regulations and related documentation. Customer-facing systems will also take precedent over other internal systems if it means preventing sales losses. 
  4. Myriad workstations and servers exist throughout multiple locations. These go on and offline at different times, impeding the ability to roll out updates.
  5. Operating a multitude of locations also makes restricting and monitoring access controls a challenge. 
(Source: 2017 Payment Security Report by Verizon)

The 2017 Payment Security Report by Verizon showed that the retail industry struggled the most with two of PCI DSS’s 12 requirements:  

  • Requirement #4, which refers to measures taken to protect consumer data as it is transmitted over networks and the internet. 
  • Requirement #11, which refers to need to regularly test systems for vulnerabilities. 

Protecting Data in Transit (Requirement #4)

When it comes to the challenges of protecting data in transit, retail is not unique. Mastering secure data transfers is an essential for all industries. It is far easier to protect data at rest than it is to protect a moving target. Fortunately there are more and more ways to safeguard data on the move including managed file transfer platforms that offer secure protocols, and using strong ciphers and encryption keys that follow the PCI DSS. Additionally, you can use an MFT that facilitates compliance by providing prompts and warning when certain regulation policies are at risk. 

Testing Security (Requirement #11)

The vulnerabilities-testing requirement in the PCI DSS ultimately exists to help protect customers from system weaknesses. Businesses need to develop a strict testing regimen that includes the use of vulnerability scanners and penetration testing programs.  As with most industries, system environments for retail chains are constantly changing. Therefore regular testing is needed. This means testing is never a one-and-done requirement, but a permanent condition of doing business. 

Taking Inventory of Compliance Costs

While compliance can be a costly and continuous mountain to climb, particularly for large retail chains, the cost of not meeting compliance is greater. In fact, the cost of non-compliance can spike up to 2 times the cost of compliance, according to Globalscape’s Ponemon study. 
For most companies, the price of non-compliance is more than just a slap on the wrist from a regulatory entity. These damages can manifest in several ways, including:

  • Business disruption – The ability to do business can be disrupted by non-compliance due to regulatory sanctions or shut downs, as well as a loss of customers and partners due to a lack of consumer trust. 
  • Productivity declines – System downtime can often result from non-compliance. This prevents staff from completing crucial tasks and can significantly hinder operations. 
  • Fines, penalties, settlement costs – This includes legal costs as well as money spent resolving compliance issues. 

Maintaining regulatory compliance is not only fiscally responsible, it is also the right thing to do for customers. Regulations exist to protect consumers by safeguarding their sensitive personal data. Businesses would do well to remember they are essentially stewards of this data once their customers have entrusted them with it.

Download the full report, True Cost of Compliance with Data Protection Regulations

Related Resources

Whether you are facing an audit or working to achieve PCI DSS compliance, this guide can help. Demystifying PCI Standards: 12 Steps to Help You with Compliance

The High Security Module for EFT exceeds security practices the PCI DSS mandates, among others. Learn more: Facilitate PCI DSS Compliance with EFT