PCI Compliance for Retailers

Customer data is invaluable to retailers and yet it is their biggest headache. If they keep it, they have no choice but to protect it with either encryption or tokenization or both. Many years ago when data security was an afterthought, the PAN (personal account number) was used by legacy systems to store and retrieve data. Thus the PAN is embedded in many retailers’ customer-facing systems, making them highly susceptible to a breach with severe consequences.

Retailers who suffer breaches get a double whammy; it has a negative impact on their brand which can have devastating effect, but there is also a significant financial penalty in the form of large fines and financial liabilities that can total millions of dollars. While more than 38 states have enacted some sort of breach disclosure law, no topic has generated more angst and confusion in recent years than compliance with the Payment Card Industry Data Security Standard (PCI DSS or just PCI).

PCI is a multifaceted security standard established by the network brands (Visa, MasterCard, etc.) to protect cardholder data, especially the PAN. It includes requirements for security management policies, procedures, network architecture, software design, and other critical protective measures such as encryption and key management. Retailers must pass annual audits to be PCI compliant, and if a breach occurs, and they are not compliant, fines can include the following:

  • $500,000 per data security incident
  • $50,000 per day for non-compliance with published standards
  • Liability for all fraud losses incurred from compromised account numbers
  • Liability for the cost of re-issuing cards associated with the compromise
  • Suspension of merchant accounts

Prime Factors’ EncryptRIGHT® software gives you a better way to achieve PCI compliance for data encryption and key management. In addition to meeting all your PCI data encryption requirements, EncryptRIGHT provides tremendous flexibility in the way you can protect data, including tokenization that reduces the scope and cost of a PCI audit.

EncryptRIGHT comes bundled with key management, secure audit logs and predefined PCI reporting capabilities. Comprehensive central key management insures that you comply with PCI encryption key management requirements for key generation, distribution, storage, rotation and replacement. It provides everything you need to achieve PCI compliance for data encryption and key management.

EncryptRIGHT comes with standard PCI reports designed to satisfy your Qualified Security Assessor (QSA), and help you pass your PCI audit.