Who Needs to Comply With PCI Standards?

PCI Data Security Standard (DSS) compliance is a security standard applicable to every business or organization that processes, stores, or transmits credit cardholder information. Since 2014, every retailer–from brick and mortar to e-commerce companies that collect and process cardholder data must meet these PCI regulations.

PCI Compliance Mandates

PCI requirements run much deeper than just setting up firewalls – retailers must also meet the 12 conditions outlined in PCI DSS 3.2 to fully address a growing number of threats.

These include:

• Install and maintain a firewall configuration to protect cardholder data
• Do not use vendor-supplied defaults for system passwords and other security parameters
• Protect stored cardholder data
• Encrypt transmission of cardholder data across open, public networks
• Use and regularly update anti-virus software or programs
• Develop and maintain secure systems and applications
• Restrict access to cardholder data by business need to know
• Assign a unique ID to each person with computer access (no super admin passwords)
• Restrict physical access to cardholder data
• Track and monitor all access to network resources and cardholder data
• Regularly test security systems and processes
• Maintain a policy that addresses information security for all personnel

Addressing Operational Challenges to Meet PCI Compliance

Retailers must also establish operational measures to safeguard a customer’s PCI from accidental exposure, misuse, or cyber hacking to remain compliant as well. Because retail organizations are designed to be process-driven on handling customer transactions, all retail organizations must have a plan and procedures for all employees to follow, preventing sensitive customer information from being exposed and stolen. This includes compliance measures that address critical areas such as checkout and PoS stations, entrances and exits, storage and management rooms/offices, customer service areas, and inventory management processes.

Retailers are also required to have a robust standardization process in place. This can include physical access control to limit the number of people with access to critical areas and reporting standards that allow managers to easily track access by an employee and by daypart. Retailers are encouraged to install video security systems as an additional layer of protection, so they have video records of activity in all locations’ critical areas as part of their overall operational plan to safeguard patient data.

How Do PCI Compliance Regulations Affect a Multi-Site Retail Business?

Maintaining PCI compliance for single-location retail is complex to navigate, becoming more complicated in a multi-site world. To make matters more complicated, there are four different levels of compliance which a retailer must follow. All merchants fall into four groups (this is based upon credit or debit card transaction volume over 12 months). Unfortunately, many multi-site businesses fall into Phase 1, which requires the strictest level of compliance. For multi-site retailers, managing PCI compliance can cause decision paralysis to questions such as: How do I implement PCI compliance? Is there an affordable strategy to achieve PCI compliance system-wide? How do I sustain PCI compliance in a constantly evolving threat landscape? This is where the right security system makes all the difference.

What Are the Penalties For Failing to Meet PCI Compliance?

Although PCI compliance is not mandated on a federal or state level, it is regulated by credit card companies, resulting in costly legal and financial consequences if a retailer fails to meet any of the 12 stipulations. This can include initiating a federal audit, legal action, and monthly payments to credit card companies which can range from $5,000-$10,000. There’s also the indirect consequence of lost revenue when retailers fail to meet PCI compliance, such as losing customers followed by a security breach. In 2013, Target was sentenced to $18.5 million for an infringement that affected more than 41 million consumers, leading to a $440-million-loss of revenue in the first quarter after the breach. Unfortunately, even if you fall into non-compliance and haven’t experienced a security breach, it can be just as costly as one.

Traditional Video Security Systems and PCI

When an on-premise video security system is installed on the same network that houses servers with customer information and credit card information, it must be installed in a way that meets PCI compliance standards, especially when the system is set up for remote viewing access. To prevent this from occurring, retailers must depend on their IT team to have the knowledge to connect the security system to the network without creating deficiencies in the network infrastructure that could allow unauthorized access. Typically, the most secure setup is through a VPN, which is usually more complicated to establish and maintain and requires a higher level of vigilance from employees to maintain the integrity of the network by always going through a VPN to get network access.

With a traditional on-premise security system, retailers may not have the network expertise or internal resources to set up a VPN or unknowingly take shortcuts to attach a recorder to their network. Often the most significant risk is when owners or staff need remote viewing access to the video system. Unless the system is safeguarded by a VPN, opening ports, or setting up a peer-to-peer connection does not meet PCI network security standards. That means they are putting PCI at risk and could face issues with regulators.

With any on-premise device, there is also the risk of that recorder getting stolen. This means that typically the recorder must be placed in a secure, ventilated closet or area with limited access by only approved employees. To secure yourself and your retail organization against a security breach and remain in compliance with an on-premise system, retailers must have the proper infrastructure and IT team devoted to assign and/or disable restricted user's access to their network, install appropriate firewalls, and updates their system regularly.

From a multi-site perspective, they can lead to a tedious, time-intensive task of logging into each system’s network separately, troubleshooting failure hardware on location, and risking lost footage if a recorder is stolen.

How can retailers get the most value from the Cloud while ensuring they are PCI compliant? The answer lies in Alibi Cloud VS.

How Does Cloud Video Security Meet PCI Compliance Requirements?

Cloud video security allows business owners to meet all 12 PCI law requirements by providing a powerful off-premise, triple redundancy solution. Streaming footage directly to the Cloud (which eliminates the need for any on-premise equipment) with triple encryption and remote monitoring allows retailers to remain compliant, ensure protection cyberhacking to their network and meet all twelve PCI compliance regulations with a simple, streamlined solution.

How Does Alibi Cloud VS Help Retailers Provide Robust Video Security While Adhering to PCI Regulations?

PCI compliance is achieved by managing your data and configuring your security network. Because many retailers are vulnerable to cyber hacking caused by open ports (which can result in stolen footage or identity theft), it’s essential to have an effective and secure video security system in place. Any data shared via the Cloud should be protected by end-to-end encryption.

Cloud VS offers secure end-to-end encryption, appropriate firewalls, and triple redundancy ideally designed to address the industry’s most complex safety and security challenges. While a retailer can invest in an on-premise security system to handle their business’s footage and storage, Cloud removes the complexity of retail security by meeting the physical, operational, and technical requirements specific to PCI compliance as a whole.

Multi-User Management

Retailers face high turnover and frequent staff changes. Granting individual shift managers access (or disable them from your system) can become tedious and time-consuming with an on-premise recorder, requiring you to log into each separate location and adjust their permissions manually. Cloud VS allows you to save time and energy by quickly adding, disabling, and granting special permissions to an unlimited number of users within minutes - all done remotely.

When a video security system is installed on the same network that houses servers with customer information and credit card information, it must be installed in a way that meets PCI compliance standards, especially when the system is set up for remote viewing access. To prevent this from occurring, retailers must depend on their IT team to have the knowledge to connect the security system to the network without creating deficiencies in the network infrastructure that could allow unauthorized access.

Typically, the most secure setup is through a VPN, which is usually more complicated to establish and maintain and requires a higher level of vigilance from employees to maintain the integrity of the network by always going through a VPN to get network access. Because everything is handled in Cloud VS, users can log in and access any location or camera you grant them permissions to, click on the footage by camera, time, and or event, and seamlessly watch or download the video footage.

Scalability to Support Growth

Retailer’s needs are constantly changing. Whether it's caused by a new PCI compliance stipulation or they need to add an additional location to their network, their surveillance system must have the flexibility and adaptability to quickly grow within their network. With Cloud VS, increase or decrease your storage, users, cameras, or permissions within minutes. Want to add cameras at your flagship store, or do you need to grant new managers access to your network? It’s as simple as getting them on the network and adding them to your account. The Alibi Cloud VS camera-to-cloud solution allows you to pay for what you need and scale up or down at a moment’s notice while giving you ultimate control over the number of cameras, amount of storage, and users you grant access to. Retailers can improve their security while simplifying operational costs and resources.

Multi-Site Management For a Growing Multi-Site Retail Business

If retailers operate multiple stores in a given city or across large regions, managing multiple on-premise recording devices be a tedious, time-consuming task, which only gets more complicated as the number of locations grows. With Alibi Cloud VS, retailers can rely on a simplified cloud-based security system to ensure all locations, employees, and assets remain secure within one network. Customize your views by region, city, and critical area of each site (like entrances, managers' offices, and PoS counters) so you can easily watch over your businesses’ most vital aspects. You don’t even have to worry about scheduling maintenance or hiring a team to perform security upgrades. It’s all handled automatically for you in the Cloud and visible in one easy-to-use and configured dashboard.