Retailers should avoid common PCI compliance mistakes


Consumers are making retail purchases through more platforms today than ever before, causing many merchants to implement new technologies to keep up with society's evolving habits.

However, security experts warn that as businesses change to improve their PCI compliance efforts, they should be sure not to trip into common pitfalls, according to a Dark Reading report.

Some of these retail IT risk management mistakes include:

1. Poor encryption key management

Payment Card Industry standards require businesses to keep these keys in the fewest forms and locations as they physically can, the news source reported. However, the management of these codes tend to be difficult for many merchants.


According to a report by Symantec, roughly 52 percent of organizations have experienced problems with encryption keys. These include losing the codes and having past employees refuse to give them back to the company.

"Enterprises should never store encryption keys alongside encrypted data," industry expert Todd Thiemann said, according to Dark Reading. "It doesn't help if you lock the door with the key tapes to the doorknob. Too many encryption solutions do not include proper key management and enterprises are prone to cutting corners when it comes to properly managing encryption keys."

2. Failing to change a technology vendor's default settings

As a way to improve internal operations and lower costs, many retail businesses are deploying virtualization technologies. However, many decision-makers either forget or choose not to change default logins and passwords, Dark Reading noted. As a result, many sensitive files are often left exposed.

"A virtual machine can easily be duplicated and deployed using vendor-supplied defaults," industry expert Eric Chiu old Dark Reading. "Controls to prevent this in a traditional IT environment, such as scanning the network for new systems, become less effective in a virtual environment, so an auditor may easily fail to notice defaults, as an entity has to manage virtual machines from within the virtual environment itself."

3. Not understanding cardholder data

Retailers need to understand why, where and what information is retained after a sale is made. While sometimes keeping this is necessary for businesses to complete electronic data interchange processes, holding on to it for too long is not only unnecessary, but unsafe. As a result, organizations need to do their utmost to figure out what they acquire from customers, the news source noted.

By taking steps to avoid these common pitfalls, retailers can ensure better practices with EDI and consumer transactions.