Video Text
Problems viewing the video? Try pressing pause and waiting for the video to fully download before pressing play.

Learning to get off the PCI fence

Wednesday 23 March, 2011

Learning to get off the PCI fence

At last week's Retail Technology Expo, our PCI experts outlined the problems retailers are having trying to meet PCI DSS compliance standards. It seems, amid the confusion, many are adopting a wait and see approach – and sitting on the fence for the time being. But there are some quick wins to be had – both in terms of tweaking your processes and educating your people. BT Expedite's PCI consultant Kevin Burns explains how...

If you're sitting on the fence just now, you're not alone. Lots of retailers are hesitating as they wait for more acquirer guidance or clarification on point to point encryption (P2PE). For many, the delay may be due to considerations such as needing some business buy-in or board approval, PED replacement looming or just the general economic outlook.

Even those that have started to make a move and taken a risk-based approach, implemented encryption for data and/or secured in-flight data, are still struggling with areas such as log management, wireless scanning and network segmentation. Most want clarification on P2PE and scope for their in-store solutions and network.

Keeping people aware of what they need to do

Of course, PCI DSS compliance is not all about the processes. It doesn't matter how good your system is, if your people don't know how to use it – and what their responsibilities are – your business could suffer.

Sections 12.4 and 12.6 of the PCI standards mandate the clear definition of policies and procedures and the need for an awareness programme across the organisation. This is a huge legal, financial and organisational burden. But our fully managed learning programme can help take the strain and simplify your PCI DSS compliance learning requirements.

BT Learn Diverse Head of Training Sally Taylor says: "We can provide a PCI learning portal – BT Comply PCI – tailored to your business and the individuals within it.

"BT Comply PCI delivers a fully managed and maintained PCI learning environment. It's accessible from any device with an internet connection and is packed full of features.

"You'll be able to communicate, train and reinforce key messages around the PCI standards, as well as tracking, monitoring and reporting on all activities performed by the company, store or individual. You'll even be able to give access to external auditors so they can confirm your compliance."

What are merchants saying?

Most have made some investment in PCI compliance and many have reduced their risk and scope. But getting from nearly there to complete is a problem in terms of time and cost. To comply from 2012, most UK and Irish retailers face PED (PIN entry device) replacement programmes, and choosing a P2PE solution directly affects that decision. But at the moment, we're seeing:

retailers using a managed service for payments has increased by 50% from 2009 to 2011*
remaining compliant with P2PE can reduce costs by up to 40%**
BUT only 19% are prioritising PCI over other spend*.

Recommendations

If you're wrestling with PCI compliance:

1. Consider P2PE

consider P2PE in line with PED replacement
select proven solutions, or trial technologies before committing
find a partner to work with that you can trust.

2. Look at options to further de-risk your environment in the short term

agree a way forward which reduces the scope of your infrastructure and simplifies your overall scope for compliance
agree a timeframe which is realistic and achievable (you will likely need to complete accreditations for example).

3. Always validate your approach with your acquirer and/or QSA

satisfy yourself that your QSA is on your side and understands your approach and priorities
try to run PCI changes with other changes, such as Contactless or Point of Sale enhancements, to improve ROI
get guidance from your peers
if the promise sounds too good to be true, it will be.

For more information on our end-to-end managed PCI service visit www.btexpedite.com/managedpayments or call 0870 8506880.

You can also download the BT Comply PCI product sheet, produced by BT Learn Diverse.


View more Retailer therapy ezines and articles

Subscribe to receive Retailer Therapy, our ezine, packed full of retail technology news, views, customer case studies and white papers direct to your inbox.

Change cookie settings

Help

The cookie settings on this website are set to 'allow all cookies' to give you the very best experience. If you continue without changing these settings, you consent to this - but if you want, you can change your settings at any time at the bottom of this page.

Change settingsI agree

Find out more about Cookies