As we continue with our series of PCI DSS and different industries, today let’s look at PCI DSS and retail. If you missed the first part about the ATM environments case, you can check it out here. So, what are the main challenges for the retail industry (or so-called ‘brick-and-mortar’ payment channel) when we’re talking about PCI DSS compliance validation?

Purely based on our experience dealing with a lot of retailers we can emphasize a few areas - a large number of stores and their geographical spread. This makes it very difficult to deal with certain PCI DSS requirements, such as internal vulnerability scanning, penetration and segmentation testing, backup of audit trails, scanning for unauthorized wireless networks, log management, and event analysis, file integrity monitoring. The best solution to this is to remove retail stores from the PCI DSS validation scope as much as possible.

Payment Card Industry Security Standards Council (PCI SSC) realized that and Point-to-Point Encryption (P2PE) program was introduced back in 2012. It took some time to kick-off and we had version 2 released in 2015. The whole idea of P2PE in simple terms is for a merchant (in our case retailer, brick-and-mortar, card-present payment channel only) to use a validated PCI P2PE solution (approved and listed by PCI SSC) in the stores. It would encrypt card data at the point of entry/interaction (POS device), while this data can only be decrypted by a service provider outside of the merchant’s environment. That way card data transmitted via the merchant’s network(s) is encrypted without the merchant’s ability to decrypt it, which significantly de-scopes the merchant’s card data environment (read more). For example, if a merchant is eligible to Self-Assessment Questionnaire (SAQ) validation, SAQ P2PE can be used, which consists of only 33 questions vs 200+ of all PCI DSS requirements.

This is a way to go for all retailers, but why is not everyone there yet? There are two main reasons - first, building a P2PE solution and its validation costs time and money to the vendors; second, and most important, P2PE solution validation is only possible using POS devices with SRED (Secure Reading and Exchange of Data) function. Unfortunately, for retailers, this means that a lot of older POS devices would have to be replaced with newer models, and that costs even more money, of course. It seems that a phased approach is being taken and we’ll see more and more retailers moving to validated PCI P2PE solutions in near future but perhaps slower than we’d expect to see.

In the meantime, PCI SSC has recognized two problems above and has issued a guidance for assessment of non-listed encryption solutions in 2016. The idea behind this is a chance for a retailer using non-validated PCI P2PE solution to approach their vendor asking them to engage P2PE QSA (Qualified Security Assessor) to perform NESA (Non-listed Encryption Solution Assessment). Based on NESA report retailer’s QSA might be able to reduce the scope of PCI DSS validation for that retailer. The level of scope reduction mainly depends on NESA report, in which P2PE QSA outlines how close or far the solution assessed is from meeting PCI P2PE requirements.

It is also important to note a very specific PCI DSS requirement 9.9, applicable to retailers, which involves the protection of devices that capture payment card data via direct physical interaction with the card from tampering and substitution. More importantly, this requirement is applicable even if a merchant uses a validated PCI P2PE solution. The requirement came into force in July 2015, and you can already find some tailor-made solutions in the market, such as our ZeroRisk PINPoint.

In summary, if you’re a retailer subject to PCI DSS compliance validation you should ideally and firstly look at the possibility to use P2PE validated solution. If not possible, ask your vendor to perform NESA, otherwise, brace for a tough journey towards PCI DSS compliance at your stores. You should also not forget PCI DSS requirement 9.9 (applicable regardless if you’re using a validated PCI P2PE solution or not) and find the most efficient solution suitable to your environment.

To ensure that you are keeping cardholder data protected, get in touch with our cyber security experts. The PCI compliance journey may seem overwhelming, but we are more than ready to walk you through this journey guaranteeing that nothing is missed.

Contact us

Irmantas Brazaitis

Written by Irmantas Brazaitis

PCI QSA and Information Security professional with more than 14 years of experience within the payment card industry. I’ve been involved in dozens of ATM compliance and security projects having worked for global payment service providers alongside the Fraud team, engaged in end-to-end fraud prevention process (from monitoring of suspicious transactions to seizure of criminals).

Certified as Qualified Security Assessor (QSA) by PCI Security Standards Council.