Expert Q&A: A PCI primer for brick-and-mortar merchants

Expert Q&A: A PCI primer for brick-and-mortar merchants

If you accept customers' cards as payment, you have an obligation to protect their data. And that means compliance with the Payment Card Industry Data Security Standard (PCI DSS).

PCI compliance is a necessary evil for many small brick-and-mortar merchants. Although compliance helps protect them and their customers from the disastrous consequences of data breaches, it's a complex process that new business owners often find daunting. Is your equipment PCI compliant? Are your business practices PCI compliant? And, if not, what are the consequences?

To answer these questions, we turned to payment security expert Branden R. Williams. Named the 2008 Payment Security Professional of the Year by the Society of Payment Security Professionals, Williams also co-authored the book, "PCI Compliance: Understand and Implement Effective PCI Data Security Standard Compliance."

Here, he shares what brick-and-mortar merchants need to know about PCI compliance.

MerchantAccountInformation:  What makes payment equipment PCI compliant (or not PCI compliant)?

Branden Williams: Equipment itself cannot be certified as PCI compliant, but that doesn't stop marketers from putting that label on their products. Equipment only has the ability to operate in a compliant manner, but that depends on how it is made, configured, installed and used.

As an example, devices listed on the PA-DSS Compliant list [Payment Application Data Security Standard -- a list of equipment vetted by the PCI Security Standards Council] can be installed and used in non-compliant ways by turning on or off certain features. The only way to really understand if the equipment is functioning in a compliant way is to do an assessment and then rigorously control changes to the device such that you are operating in a known-good state.

MerchantAccountInformation:  What equipment do brick-and-mortar merchants commonly use that should be checked for PCI compliance?

Williams: Merchants accepting card-present transactions will probably have a point-of-sale system, a PIN entry device and any number of back-of-house systems that might connect into the same network. All of those systems should be checked for compliance.

Merchants should ensure that systems used for payment processing -- be it the actual point-of-sale device or a server system in the back-of-house that aggregates and batches -- should not be used for any other function, such as surfing the Web, checking email or using social media. Attackers target these systems and typically can compromise them very easily if they are actively using the Internet.

MerchantAccountInformation:  How do you know if your equipment (like your card reader and point-of-sale system) is PCI compliant? How do you check?

Williams: There are a number of ways to check that include going through the full PCI DSS requirements and assessing your systems against the relevant ones. You can also perform scans on the systems with vulnerability scanners, compliance scanners and data discovery tools to ensure your systems are patched, compliant and do not contain at-risk cardholder data. Merchants must understand how their systems inter-operate and the function of each component so that they will know which areas to inspect when checking for compliance.

MerchantAccountInformation:  What are the risks of not having compliant equipment?

Williams: The biggest risk is a breach. I have worked many breaches over the last several years where companies went out of business due to poorly maintained point-of-sale systems. While PCI compliance does not guarantee security, it does establish a baseline from which you can build.

MerchantAccountInformation:  If you are using older equipment, is it less likely to be PCI compliant?

Williams: Not necessarily, unless that equipment has never been upgraded or maintained. I have seen systems deployed several years ago that can and do operate in a PCI-compliant manner.

MerchantAccountInformation:  If your equipment isn't compliant, what are the next steps you must take?

Williams: The first step is to do an assessment to understand your level of compliance. PCI is not like other initiatives. You are either meeting all of the requirements to be compliant, or you are not compliant even if you only miss one requirement. There are no partials here.

MerchantAccountInformation:  Anything else brick-and-mortar merchants should know?

Williams: Certainly. PCI Compliance is a headache that nearly every merchant can avoid by outsourcing payments processing to a third party. Several large processors now offer services to handle the payments for the merchant and guarantee they will be compliant.

If you choose to maintain your own systems, do them vigilantly. Ensure you are fully patched, you are on top of your functionality updates and you scan for payment card data and delete or destroy everything you don't need.

Published: September 28,2023