Your cyber risk management measures must go beyond PCI compliance.
Released 20 years ago, the Payment Card Industry Data Security Standard (PCI DSS) is the compliance standard required by the five major credit card brands—Visa, Mastercard, American Express, Discover and JCB. Merchants that store, process or transmit cardholder data must be PCI compliant.
PCI DSS 4.0, an updated version of PCI DSS, is the only active standard after taking effect in March 2024. This set of guidelines and security standards are designed to protect your customer’s card data and reduce the risk of a data breach.
Noncompliance means retailers are at risk for costly fines, higher exposure to fraud, data breaches, revenue losses, card processing restrictions and even potentially loss of the business.
Protecting against data breaches and fraud through PCI compliance is one layer of protection, but being cyber secure is equally important.
Data breaches occur when an unauthorized third-party accesses sensitive and confidential information, through card skimming, phishing scams or other tactics. Cyberattacks, however, are even more devastating. These malicious crimes allow unauthorized access to an entire system, computer or network to steal data or disable the system, leading to massive damage on many fronts, like the May 7, 2021, ransomware attack on Colonial Pipeline.
“Being PCI compliant is a ‘low water mark,’ while being ‘cyber secure’ helps you to sleep better at night,” said Bryan Benner, vice president of information systems at FKG Oil/Moto C-Stores. He said the compliance requirements for meeting PCI mandates—albeit secure—are “the minimum levels to reach compliance,” whereas being cyber secure is a multi-pronged approach.
“You need to have multiple layers of security in place—beyond just being PCI compliant—to reach a much higher level of cybersecurity,” Benner said.
Brad Buckmaster, IT manager at Plaid Pantries Inc., said that being cyber secure is broader than being PCI compliant. “It encompasses all your domains, including areas that are out of scope for PCI compliance. If someone in the organization clicks a phishing or ransomware/malware link, it is just as devastating as someone who has access to personally identifiable information. An adversary could observe where to go for valuable storage and obtain it, so we need to be vigilant everywhere.”
An interruption in operations caused by a cyber attack can have huge impacts on the company and the community that go beyond data breaches. Therefore, retailers “should think beyond PCI compliance and ensure the overall business continuity and resilience of their critical operations,” said Ashwin Swamy, CEO of Omega ATC, a PCI DSS Level 1 managed security services provider (MSSP/MDR).
For example, cybersecurity approaches like network detection and response and threat hunting “provide the necessary artificial intelligence and proactive security measures required to mitigate known and unknown threats before they spread,” Swamy explained.
“Cybersecurity must be an organization-wide approach—a single compromised employee can serve as a backdoor for hackers. Human error or negligence still stands as the greatest cyber risk,” Swamy cautioned.
“We recommend that merchants think critically about how to best align board-level priorities, executive-level business objectives and IT operations to ensure the business’ overall cyber resilience,” Swamy continued, adding that alignment across the business on cybersecurity objectives “is one of the highest indicators of a successful cybersecurity program.”
This article is the second in a series that explores how several retailers are staying on top of the new PCI DSS 4.0 requirements. Read the first article, “How Retailer-Supplier Partnerships Help Enable PCI Compliance,” and be on the lookout for our next article focusing on how retailers can reduce liability and exposure for chargebacks/fraud.
