The Payment Card Industry Data Security Standard (PCI DSS) was released 20 years ago. This was a compliance standard required by the five major credit card brands—Visa, Mastercard, American Express, Discover and JCB—for retailers to prevent theft of consumer cardholder data.
Today, PCI DSS 4.0, an updated version of PCI DSS introduced in March 2022, is now the only active standard after taking effect in March 2024.
Merchants that store, process, or transmit cardholder data must be PCI compliant—if not, they’re at risk of costly fines, higher exposure to fraud and data breaches, revenue losses, card processing restrictions and even the loss of the business. The compliance levels are based on the amount of transactions a retailer processes annually:
- Level 1: Over 6 million transactions per year.
- Level 2: 1 to 6 million transactions per year.
- Level 3: 20,000 to 1 million transactions per year, including e-commerce merchants.
- Level 4: Less than 20,000 transactions per year or up to 1 million.
Level 1 merchants like FKG Oil/Moto C-Stores, a family-owned company with 85 c-stores in six states (Illinois, Missouri, Indiana, Ohio, Wisconsin and Minnesota), have found that it’s necessary to work with industry partners given the scope and expense of managing PCI compliance requirements and milestones.
Bryan Benner, vice president of information systems, said that his team at FKG Oil works with firms that manage and reduce audit prep time and organize compliance targets, including a qualified security assessor (QSA) company and a managed network service provider (MNSP).
“Level 1 merchants are required to use an outside auditing firm like a QSA,” he said. “Our QSA allows for a continuous compliance approach. Instead of gathering all required evidence at the start of the yearly audit, we can provide updated evidence and penetration testing throughout the year, which saves us time and stress,” Benner said. Additionally, the company’s MNSP has “full PCI knowledge and certification” and assists with “continuous cyber security facets.”
Convenience store chains typically have a small IT staff. “At our company, anytime there's a big change like PCI, it validates the expense for a partner because if we were to bring it in-house, we’d probably double the expense,” said Benner.
Brad Buckmaster is the IT manager at Oregon-based Plaid Pantries Inc., which operates 107 stores in the Pacific Northwest. He agrees that retailers should consider outsourcing as much of the process as they can while still addressing the requirements.
“I would recommend reducing your scope as much as possible. For example, outsource firewall management to an entity that can perform this for you and make sure their roles and responsibilities are clearly laid out,” he said.
Buckmaster also suggests considering whether to train and certify an Internal Security Assessor (ISA)—“especially if you are allowed to fill out your own PCI Self-Assessment Questionnaire (SAQ).” An in-house ISA would understand the mechanics of an assessment and the evidence needed for each requirement, “which would lead to the likelihood of not needing to remediate something a QSA finds in its assessment,” he said.
Preparing for PCI DSS 4.0 Requirements
Greg DeClue, cyber operation manager at Omega ATC, a PCI DSS Level 1 managed security services provider (MSSP/MDR), said that PCI DSS 4.0 has real implications for Level 1 merchants, particularly as they prepare for their audit.
Level 1 merchants are required to have their QSA prepare a Report on Compliance (ROC), an on-site assessment of compliance with PCI DSS 4.0, according to the PCI Security Standards Council.
“The ROC can be hundreds of pages longer than in previous years. While implementing these updates can feel burdensome, retailers should remember that the new requirements help ensure the necessary security to defend against today’s hackers looking to steal sensitive data. Implementing these new changes now will make their QSA audit preparation much easier.”
This article is the first in a series that explores how several retailers are staying on top of the new PCI DSS 4.0 requirements. Our next article focuses on the difference between being “PCI compliant” and “cyber secure.”