Released 20 years ago, the Payment Card Industry Data Security Standard (PCI DSS) is the compliance standard required by major credit card brands—Visa, Mastercard, American Express, Discover, and JCB. Merchants handling cardholder data must adhere to PCI compliance guidelines to safeguard customer information. The latest version, PCI DSS 4.0, became the only active standard in March 2024, focusing on protecting card data and mitigating the risk of data breaches.
Noncompliance leaves retailers vulnerable to fines, fraud, data breaches, revenue losses, and even business closures. But while PCI compliance protects against data breaches, it’s only one layer of protection. Being cyber secure is equally important in today’s complex threat landscape.
PCI Compliance vs. Cybersecurity
Data breaches occur when unauthorized parties access sensitive data, often through card skimming or phishing scams. However, cyberattacks can be even more damaging, as they involve gaining control of entire systems, stealing data, or disabling operations. For example, the May 7, 2021 ransomware attack on Colonial Pipeline had devastating effects across multiple sectors.
“Being PCI compliant is the ‘low water mark,’ while being cyber secure helps you to sleep better at night,” says Bryan Benner, Vice President of Information Systems at FKG Oil/Moto C-Stores. While PCI compliance mandates basic security, cybersecurity involves a multi-layered approach that goes beyond compliance.
Brad Buckmaster, IT Manager at Plaid Pantries Inc., agrees that cybersecurity is broader than PCI compliance. It covers all aspects of a business, including those outside the scope of PCI. If a company employee clicks on a phishing or ransomware link, the consequences can be as severe as a breach of personally identifiable information.
Beyond PCI: Achieving Cyber Resilience
An interruption in operations from a cyberattack can impact both the company and the surrounding community. That’s why businesses must think beyond PCI compliance and focus on overall resilience. According to Ashwin Swamy, CEO of Omega ATC, cybersecurity measures like network detection and response and threat hunting are essential to mitigating threats before they escalate.
Swamy also emphasizes that human error remains the greatest cyber risk. Cybersecurity must be an organization-wide effort, with alignment across all levels of the business. This alignment helps ensure business continuity and cyber resilience in the face of evolving threats.
PCI compliance is essential, but it’s just the beginning of a secure business. Retailers must implement broader cybersecurity measures to protect against cyberattacks, maintain business operations, and safeguard customer trust.
This article is the second in a series exploring how retailers are navigating PCI DSS 4.0 requirements. Stay tuned for the next article, which will focus on reducing liability and exposure to chargebacks and fraud.
