Retail Executive

SEP-OCT 2017

Retail Executive is the trusted advisor to top retail executives from the industry’s most profitable retailers. We help retail executives succeed in their job role and grow their business via exclusive, actionable, peer-driven content.

Issue link:

Contents of this Issue


Page 24 of 43

understanding to properly implement Payment Appli- cation Data Security Standard payment applications in a way that supports their PCI DSS compliance efforts. Later this year, the council is expanding the scope of the QIR program to allow more solutions providers to bene- fit. This will provide the ecosystem with more qualified professionals and raise the collective security IQ of the industry. For large retailers, we have our QSA program. How- ever, QSA companies have been telling us that there's a shortage of security professionals. Our qualification requirements are stringent, and QSAs have been ask- ing how we can help bring new professionals into the industry. We recently did a soft announcement of our new Associate QSA program, which is a way to culti- vate security professionals earlier in their careers and get them into the QSA pipeline. The Associate QSA program includes similar training as full-blown QSAs, but doesn't require all the certifications and tenure. Associates receive mentorship and learn in the field about PCI DSS assessments. Eventually, they will graduate to a full QSA. Retail Executive: What are the areas of security that you find most retailers struggle with? Leach: First, let me point out that we've noticed that larger retailers have matured over the past few years to develop good security practices that consistently meet the PCI requirements. This is a great upward trend and a positive note for retailers. That said, one challenge is that criminals and mal- ware targeting retail systems today aren't targeting solely large retailers. The data suggests that criminals don't care or even know if the target is large or small, as the malware is indiscriminate. Retail Executive: What will payments look like five years from now? Leach: The PCI Council and our related bodies are go- ing to continue to pursue innovative ways to devalue data and reduce exposure to fraud. We've introduced point-to-point encryption (P2PE), payment tokens, and dynamic authentication that have all been very effec- tive already. In fact, we've had numerous retailers re- veal that they were breached, but the criminals couldn't collect any valuable data because it was all encrypted. Analysts anticipate that by the end of 2017, 97 percent of retailers will have some form of payment data en- cryption implemented. That is success, but we still have work to do. The next few years will be a renaissance for payment security. It's exciting. R Retail Executive: How does the public comment process work? Leach: The request-for-comment period typically lasts from two weeks to six months. On larger standards like DSS, we might go to request for comment several times with changes we're considering and longer open peri- ods. Other standards closer to release are from 14 to 30 days. Our PIN entry standard will probably have three rounds of comments (not including our community meetings we have worldwide). We have a dedicated working group made up of sub- ject matter experts and task forces that are typically from our membership base. Also we have 3,000 other security professionals (i.e., qualified security assessors [QSAs]). All said, we get a variety of feedback from thou- sands of different stakeholders. This process is much different from how other standards bodies work. Retail Executive: What special initiatives are you working on that affect retailers? Leach: Last year we created and published an educa- tional resource for small retailers. We worked with the NRA (National Restaurant Association) and merchants to create our Payment Protection Resources for Small Merchants, including the Guide to Safe Payments with basic security guidance and the Common Payment Systems with use cases for 14 different payment device scenarios. The scenarios eliminate technical jargon and confusion, and one of the 14 scenarios is likely to match a retailer's situation. The document provides the 15 to 30 security controls that will be relevant to a retailer based on its situation. It pares down the 200+ controls of the PCI DSS standard and provides a practical set of controls that are action- able and able to be addressed by a non-IT person. In the year since the document was published, half a million merchants have been contacted with the ma- terials, and they've been well received. We're now up- dating the document to include information on how a retailer can show its financial partners and customers that it has taken these basic security steps and applied them. The update should be released in the first half of next year. Retail Executive: What programs exist to help retail- ers address payment security? Mauro Lance, COO, PCI Security Standards Council: Our QIR initiative is designed for smaller merchants who rely on technology resellers to implement payment technology. Launched in 2012, the QIR program seeks to ensure that resellers have the necessary skills and RETAILEXECUTIVE.COM SEPTEMBER/OCTOBER 2017 25

Articles in this issue

Links on this page

Archives of this issue

view archives of Retail Executive - SEP-OCT 2017