Posted by: Justine Arthur  |   Comments  No Response

Getting full Payment Card Industry Data Security Standards (PCI DSS) compliance remains a headache for many retailers and the cost of non-compliance also seems to be a growing concern.

With many UK retailers struggling to keep their heads above water and others stuck in a seemingly endless sale period, the need to plan and pay for compliance is slipping down the list of priorities.

Now there are also additional pressures as many of the first and some of the second phase Chip and PIN Entry Devices (PEDs) reach end of life.

If PCI DSS is a burden and PED replacement a challenge then combining the two may, on the surface, appear to be a total nonstarter but there may be some merit in taking both challenges head on.

Why, I hear you ask; well not least because not every retail IT team has enough people today to deal with business as usual, so finding two of the team to deal with PCI DSS is a problem before you start.

Then there is the need to continue to keep up to date with the standards and keep on top of the retail estate which is in scope for the PCI DSS.

Defining a cost-effective way to get and retain PCI DSS certification

Over the last couple of years I have been out into the market looking at how to find ways to reduce the PCI DSS burden and over the past six months I have been helping some of our retail customers come to terms with compliance in a number of ways, focussing on cost and ROI as much as ensuring that we find the best solution for their business.

Taking a step back from this process we have some lessons which apply generally to retail and some results which I think will surprise many including:

• Redesigning integration layers to ensure that Point of Sale environments no longer has full Primary Account Number (PAN) stored or used as   a  key to the transaction / customer.

• The same level of information can be derived truncated card data combined with tokenisation or hash values used

• Working with truncated data instead of using full details will satisfy most reporting requirements and analysis

• Moving to a hosted solution may be more cost effective in the short and the long term


And with the anticipated further clarification on emerging technologies (Point to Point Encryption) due in September you may find my new white paper an opener to the ensuing debate that I am sure many retailers are about to reignite within their businesses over the next three to six months.

Kevin Burns is a PCI & Payments Consultant for BT Expedite. For more info on PCI or to download Kevin’s white paper visit our website. You can also contact Kevin online or reach him via 0870 8506880.

Post a Comment

Change cookie settings


The cookie settings on this website are set to 'allow all cookies' to give you the very best experience. If you continue without changing these settings, you consent to this - but if you want, you can change your settings at any time at the bottom of this page.

Change settings I agree

Find out more about Cookies