With many UK retailers struggling to keep their heads above water and others stuck in a seemingly endless sale period, the need to plan and pay for compliance is slipping down the list of priorities.
Now there are also additional pressures as many of the first and some of the second phase Chip and PIN Entry Devices (PEDs) reach end of life.
If PCI DSS is a burden and PED replacement a challenge then combining the two may, on the surface, appear to be a total nonstarter but there may be some merit in taking both challenges head on.
Why, I hear you ask; well not least because not every retail IT team has enough people today to deal with business as usual, so finding two of the team to deal with PCI DSS is a problem before you start.
Then there is the need to continue to keep up to date with the standards and keep on top of the retail estate which is in scope for the PCI DSS.
Defining a cost-effective way to get and retain PCI DSS certification
Over the last couple of years I have been out into the market looking at how to find ways to reduce the PCI DSS burden and over the past six months I have been helping some of our retail customers come to terms with compliance in a number of ways, focussing on cost and ROI as much as ensuring that we find the best solution for their business.
Taking a step back from this process we have some lessons which apply generally to retail and some results which I think will surprise many including:
• Redesigning integration layers to ensure that Point of Sale environments no longer has full Primary Account Number (PAN) stored or used as a key to the transaction / customer.
• The same level of information can be derived truncated card data combined with tokenisation or hash values used
• Working with truncated data instead of using full details will satisfy most reporting requirements and analysis
• Moving to a hosted solution may be more cost effective in the short and the long term
And with the anticipated further clarification on emerging technologies (Point to Point Encryption) due in September you may find my new white paper an opener to the ensuing debate that I am sure many retailers are about to reignite within their businesses over the next three to six months.