With plastic card fraud losses on UK issued cards now exceeding £600 million per annum, banks are placing increasing pressure on mid-size retailers to comply with the Payment Card Industry (PCI) Data Security Standard (DSS). But the challenges associated with achieving compliance are causing some retailers to take the retrograde step of replacing perfectly good integrated payment systems with stand-alone "pre-approved" card payment devices because they avoid the headache of a complicated PCI approval process.

This approach may be a quick fix, but it can compromise customer service, add cost at the PoS and complicate the move into multi-channel retailing. Furthermore, PCI compliance is not a one off event; it is part of a continuous process of hardening and tightening payment security. Retailers will have to undertake a self-assessment audit annually, and therefore opting for a pre-approved PCI compliant device today does not mean it will necessarily be approved next year.

PCI deadlines

Although it is several years since the PCI DSS was introduced in the US, it is only now that the UK’s mid-sized retailers are coming under serious pressure to comply. And while banks appear to be inconsistent with both deadlines and the associated threat of fines or penalties, no retailer can afford to ignore the implications of PCI compliance for much longer.

Failure to comply with the standards exposes a retailer to two types of liability. Firstly, the contract with the card issuer provides for substantial penalties and, more significantly, retailers are subject to “charge-back” liability for damages suffered by the card issuer as a result of a data breach.

These losses sustained by card issuers include not only the fraudulent charges made on the accounts of the victims of identity theft, but also the administrative costs associated with the issuance of new cards to customers whose personal information may have been compromised. As a result, these costs can be significant. Add in the damage to reputation associated with the loss of customer card details, and the long term implications of a breach could look bleak.

Compliance challenge

At first glance, the PCI requirements may not appear to be particularly lengthy or arduous. The standard encompasses only six categories and most mid sized retailers will be able to undertake an annual self assessment.  But this can be misleading. Each of the six categories contain 12 requirements that address particular technical issues and also stress web application security, with each requirement including some 30 to 40 sub clauses. It can also be difficult to interpret each sub clause within the context of a particular retail environment.

Once the initial business audit is carried out by a PCI approved consultant, retailers are facing a tough and expensive challenge. The audit identifies at a high level areas in which the company fails to meet the standards of the requirement – a gap analysis – and includes a list of proposed remedial action that will have to be taken before any attempts at PCI self assessment can be conducted. This process is key to identify areas of weakness which can range from inadequate wireless network security in store to improper storage of customer data, a lack of encryption or poor HR processes.

Business constraint

Given the extensive list of requirements revealed by the gap analysis, what options are available to medium sized fashion and lifestyle retailers for achieving PCI compliance? One route is to buy pre-packaged components – such as handheld chip and PIN devices and off-the-shelf web payment gateways – that are already compliant. However, whilst this simplifies the compliance process it can also constrain the business. Many retailers, particularly the larger ones, have worked hard to achieve an integrated multi-channel business model. Adopting these simple, separate payment systems can be a retrograde step which takes retailers back to a less integrated business model, or prevents them moving toward one.

Separate pre-packaged payment systems (at store, on the web and for mail order) make reconciliation more difficult and will introduce more opportunity for error. Without an integrated payment gateway, a business cannot easily deliver the seamless multi-channel service that all fashion retailers aspire to.

For example, customers buying online may find funds taken from their account before the goods are despatched, a customer contacting a call centre to ask for a partial credit may get an inferior service because there will be no clear visibility of payments across channels and at the store chip and PIN devices that are not fully integrated with the PoS are slower, less reliable and more complex to operate and maintain. Furthermore, they are unlikely to support capabilities such as stored value cards, gift cards, loyalty systems and tax free shopping.

Enabling business

Larger retailers have known for a long time that a single, end-to-end approach to the card payment environment, means better customer service, lower merchant rates through a single acquiring bank, better reliability and improved speed and traceability.

Yet for a small or medium size fashion retailer, gaining a compliance certificate for an integrated payment system can look expensive and time consuming. The retailer might reasonably ask whether retaining these business benefits is worth the expense. The cost of a PCI consultant to undertake a gap analysis and advice on the remedial work required, followed by the implementation of all the necessary changes - both technical and in terms of business processes and security - can run into £100,000s. It is therefore no wonder that some retailers are thinking of ditching their integrated solutions in favour of simple but less effective, pre-approved devices.

An alternative is to work with a vendor that delivers integrated multi-channel solutions and has already embarked upon a level 1 PCI compliance process for the entire end-to-end suite. With this approach, the onus is on the vendor to ascertain the underlying software, hardware and wide area network components required to gain and maintain PCI compliance. This model not only ensures that retailers retain the benefits of an integrated multi-channel strategy but also have a fast track, low cost route to compliance, not just today but for the future where an integrated approach to multi-channel trading will become ever more important.

Conclusion

This is not a one off issue for retailers: compliance requires an annual audit or self-assessment. Indeed, the payment card industry is in an endless arms race with the hackers and fraudsters. As the criminals get ever more sophisticated, PCI and retailers have to up the ante and implement ever more sophisticated security standards. 

So opting to retrench today by casting out all the benefits that integrated technology can bring in terms of efficiency and improved customer service may solve the immediate PCI problem. But it is a short term fix that will be at the expense of future business efficiency and customer satisfaction.

Furthermore, it is simply delaying the inevitable. Fashion businesses are moving ever more deeply into integrated multi-channel retailing. Those who have adopted ad-hoc systems to get round short term PCI problems will sooner or later need to reintegrate their systems to compete with the market leaders. The best of both worlds is low cost PCI compliance without compromising the increasingly important multi-channel business model.