Stores still in scope?

Penetration Testing Experts


I'm still coming across a number of brick and mortar merchants whom have been advised by their QSA to put their store environments into scope of PCI DSS and spend millions of pounds implementing end-point security and network monitoring solutions.

Exactly what benefit does this give?

Not even high street banks go to this level to secure their systems, so why should retailers?

I try and add a dose of practical advice, but often get the door slammed in my face when I start suggesting retailers dumb down and descope payment operations at a store level through use of tokenisation or end to end encryption solutions.

I am really at a loss as to why retailers trust the advice of their incumbent QSA and budget huge swathes of cash on solutions when the payment world is already turning.

Things I'm still hearing –

“I have to store card numbers on all my tills and store servers, just in case of communications or hardware failure.”

“I have a flat network and cannot segment stores away from my core processing systems.”

“My bank wants me to be PCI Compliant, so we've decided to apply PCI DSS on the environment as is and not bother trying to reduce scope just to get them off our backs.”

To put it bluntly, there are ways around all of the above that are more effective at addressing net risk and do not upset your IT Director by demanding millions of pounds worth of security solutions that will probably be OK for the first few months, but degrade massively due to staff shortages and process failures over coming years.

There is no silver bullet solution for PCI DSS or halfway house for stores. You're either all in and have a team of 8 dedicated security engineers to support 400 stores (oh goodness, that's another hidden £2m over 5 years), or you make a mid to long term decision to minimize store scope through e2ee or tokenisation.

I understand there are many QSAs and security vendors out there all in it for short term gain and of course will try and upsell as much as possible, as that's their job, but please do take their advice with a pinch of salt, get that second opinion and hopefully Visa's vision of a fraud-free payment industry will be just that one step closer.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top