PCI Kills Retail Holiday Rush

Retailers feeling the rush of a Black Friday weekend high shouldn’t forget they’re also facing a major buzzkill on New Year’s Day: As of Jan. 1, they’ll face a new version of the Payment Card Industry’s security requirements, according to Crain’s Chicago Business

The PCI Data Security Standard version 3.0 still requires physical protection of point-of-sale devices, networks and servers, but new rules also focus on securing the data itself via improved password protocols and more specific firewalls.

PCI 3.0 also piles on the complexities for small and midsize merchants who use a third-party provider to handle payment cards. Previously, that limited the retailer’s PCI responsibility to about 30 points of concern. With the new rules, merchants are no longer off the hook and are responsible for the payments process they’re outsourced. The new rules can also add 100 or more additional security questions related to online commerce.

One 18-store restaurant chain profiled by Crain’s Chicago Business said the new PCI rules prompted him to shift to a managed security model. Buona, a small suburban-Chicago chain, signed a three-year contract with Chicago-based Trustwave Holdings. Now the chain can get security updates through Trustwave’s portal on a daily basis.

“I let them worry about the technical stuff so I have more time to spend educating my staff and making sure they’re compliant with our password policies,” said Mark Kearins, Buona’s IT director, who admits he’s no cybersecurity expert. “And now I know what my costs are going to be until 2017.”