Retail’s Top Compliance Pain Points and How to Address Them

Benjamin Franklin famously stated there are no certainties in life except death and taxes. Businesses may deserve a third certainty added to the list these days: compliance requirements. Nearly all businesses are subject to at least one compliance regulation, and companies in the retail industry are no exception.

Retail Compliance and PCI DSS 

For companies in the retail sector, one particularly omnipresent regulation is the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS is a standard that some of the largest credit card companies put together to help reduce data breaches related to credit card processing.

PCI DSS encompasses 12 requirements that must be met in order for a company to be considered compliant. According to Globalscape’s joint study with the Ponemon Institute “The True Cost of Compliance with Data Regulations,” PCI DSS is ranked number two among the most complex compliances to achieve, second only to the General Data Protection Regulation (GDPR).

The Challenges of PCI DSS

PCI DSS is a challenge for all industries that use credit cards, including retail, financial services, and others. However, Verizon's annual Payment Security Report found that some of its requirements are particularly difficult for retail companies due, in part, to the following five factors:

1. Retailers tend to have a high number of employees, most of whom have personal devices, making it challenging to manage the compliance of those devices.
2. Because they have large workforces, it is challenging for retailers to get each and every employee to review security policies as part of compliance. 
3. Retailers typically have tight margins, so when it comes down to it, revenue often takes precedence over regulations and related documentation. Customer-facing systems will also take precedence over other internal systems if it means preventing sales losses. 
4. There are thousands of workstations and servers that exist throughout multiple locations retail locations: both corporate offices and any stores. These go on and offline at different times, impeding the ability to roll out updates.
5. Operating a multitude of locations also makes restricting and monitoring access controls a challenge. 

Two PCI DSS Requirements are the Hardest to Meet

The 2017 Payment Security Report by Verizon also showed that the retail industry struggled the most with two of PCI DSS’s 12 requirements:  

• Requirement #4, which refers to measures taken to protect consumer data as it is transmitted over networks and the internet. 
• Requirement #11, which refers to need to regularly test systems for vulnerabilities. 

1. Protecting Data in Transit (Requirement #4)

When it comes to facing the challenge of protecting data in transit, retail is not alone; mastering secure data transfers is an essential for all industries. It is far easier to protect data at rest than it is to protect a moving target. Fortunately, there are more and more ways to safeguard data on the move including managed file transfer, which offer secure protocols and use strong ciphers and encryption keys that follow the PCI DSS. Additionally, you can use an MFT solution that facilitates compliance by providing prompts and warning when certain policy requirements are at risk. 

2. Testing Security (Requirement #11)

The vulnerabilities-testing requirement in the PCI DSS ultimately exists to help protect customers from system weaknesses. Businesses need to develop a strict testing regimen that includes the use of vulnerability scanners and penetration testing programs.  As with most industries, system environments for retail chains are constantly changing. Therefore, regular testing is needed. This means testing is never a one-and-done requirement, but a permanent condition of doing business. 

Taking Inventory of Compliance Costs

While compliance can be a costly and continuous mountain to climb, particularly for large retail chains, the cost of not meeting compliance is greater. In fact, the cost of non-compliance can spike up to two times the cost of compliance, according to Globalscape’s study with the Ponemon Institute. 

For most companies, the price of non-compliance is more than just a slap on the wrist from a regulatory entity. These damages can manifest in several ways, including:

• Business disruption – The ability to do business can be disrupted by non-compliance due to regulatory sanctions or shutdowns, as well the loss of current – and future – customers and partners due to a lack of consumer trust and loss of reputation.
• Productivity declines – System downtime can often result from non-compliance. This prevents staff from completing crucial tasks and can significantly hinder operations. 
• Fines, penalties, settlement costs – This includes legal costs as well as money spent resolving compliance issues. 

Maintaining regulatory compliance is not only fiscally responsible, it's the right thing to do. Regulations exist to protect consumers – and ultimately your business – by safeguarding sensitive data. Businesses would do well to remember they are essentially stewards of this data once their customers have entrusted them with it.

Download the full report, True Cost of Compliance with Data Protection Regulations

Download now

Related PCI DSS Resources

Whether you are facing an audit or working to achieve PCI DSS compliance, this guide can help. Demystifying PCI Standards: 12 Steps to Help You with Compliance

The Regulatory Compliance and Advanced Authentication Modules exceed security practices the PCI DSS mandates, among others. Learn more: Facilitate PCI DSS Compliance with EFT