PCI DSS Compliance for Retail and OpenVPN Cloud
How Retailers Can Protect Customer and Card Information in the Cashless e-Commerce Era
As we emerge from the global pandemic, retail is growing at levels not seen in over 15 years. Retail sales grew an estimated 6.7% in 2020, well above the five-year average of 4.4%.
NRF forecasts sales will grow between 10.5% and 13.5% to more than $4.44 trillion in 2021. — National Retail Federation
Cashless e-commerce purchases were already on the rise before COVID-19. Once the pandemic hit, even brick-and-mortar retail outlets moved away from cash transactions, and most don't appear to be reversing that trend. Shift Credit Card Processing reports that there are 1.06 billion credit cards in use in the United States of America and 2.8 billion credit cards in use worldwide. The majority of those cards are from card brands Visa, Mastercard, Discover, and American Express, with Mastercard accounting for 551 million credit cards worldwide. According to Nilson Report, there were 131 billion purchase transactions in the U.S. alone in 2021. The number of transactions is projected to climb to 169 billion in 2026.
Both retailers and customers benefit from the customized shopping experiences made possible by modern data analytics and segmentation. At the same time, all of those card transactions capture data — cardholder information, card numbers, primary account numbers tied to debit cards — that hackers want. That's why, in 2006, the PCI Security Standards Council (PCI SSC) was founded by American Express, Discover, JCB International, MasterCard, and Visa Inc. This global forum brings payments industry stakeholders together to develop and drive the adoption of data security standards and resources for safe payments worldwide.
Good to Know: The 2020 Verizon Payment Security Report found only 27.9 percent of organizations achieved full PCI DSS compliance in 2019. Check your company's status with this Self-Assessment Questionnaire (SAQ).
What is the Payment Card Industry Data Security Standard (PCI DSS)?
The PCI DSS ensures the safe, secure transfer of credit card data. The cybersecurity standards apply to technical and operational system components included in or connected to cardholder data. The goals of the PCI requirements are to help companies:
- Build and Maintain a Secure Network.
- Protect Cardholder Data.
- Maintain a Vulnerability Management Program.
- Implement Strong Access Control Measures.
- Regularly Monitor and Test Networks.
- Maintain an Information Security Policy.
To achieve these goals, the PCI Security Standards Council set the following PCI DSS requirements:
- Install and maintain a firewall configuration to protect cardholder data.
- Do not use vendor-supplied defaults for system passwords and other security parameters.
- Protect stored cardholder data.
- Encrypt transmission of cardholder data across open, public networks.
- Use and regularly update anti-virus software or programs.
- Develop and maintain secure systems and applications.
- Restrict access to cardholder data by business need to know.
- Assign a unique ID to each person with computer access.
- Restrict physical access to cardholder data.
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes.
- Maintain a policy that addresses information security for all personnel.
Good to Know: An Attestation of Compliance (AoC) confirms merchants and service providers completed a PCI DSS assessment, and an RoC (Report on Compliance) includes detailed results of the assessment. An AoC is issued using the Self-Assessment Questionnaire or a Qualified Security Assessor (QSA).
The Benefits of Being PCI Compliant
The average retail data breach cost in 2021 was $3.27 million. While the industry doesn't make the top 10 for most costly data breaches, the increase from $2.01 million year-over-year is cause for concern. PCI compliance helps retailers avoid breaches and fines associated with non-compliance and lost confidence in card companies, acquiring banks and financial institutions, payment processors, and customers. PCI compliance fines aren’t published but can range from $5,000 to $100,000 monthly until an issue is resolved.
Good to Know: Organizations spend $5.47 million on compliance compared to an average of $14.82 million for non-compliance.
How OpenVPN Cloud Helps Retailers Meet PCI DSS Requirements
As consumers and retailers move away from cash transactions, opting for cards and payment applications, retailers need robust, reliable security controls in place. OpenVPN Cloud is a critical component of a layered security approach that provides endpoint security to mitigate malware, phishing, and other attack vectors. This virtualized networking solution includes firewall capabilities, enterprise-grade encryption, IDS/IPS, and user authentication.
Cyber Shield, a built-in feature of OpenVPN Cloud, provides Traffic Reporting with detailed statistics on traffic threats (malware, intrusion, DOS) and the device of origin. Network administrators can use detailed DNS Filter Reporting (exportable to CSV) on observed and blocked domain name queries from users for risk assessment and refining security policies.
Good to Know: Sensitive Authentication Data — card validation codes/values, magnetic stripe data, PINs, and PIN blocks used to authenticate cardholders and authorize payment card transactions — cannot be stored after authorization. Only primary account numbers, expiration dates, service codes, and cardholder names may be stored.
Make OpenVPN Part of Your Security Stack Today
In 2020 credit cards (38%) were the most used payment method in the United States, followed by debit cards (29%). Yes, there are risks associated with card transactions — for both retailers and consumers — but deploying reliable security and ensuring that PCI DSS requirements are met can protect buyers and sellers. Start protecting your company and customers today with three free OpenVPN Cloud connections.