By Jon Banks, Director of Payments and Customer Loyalty, The Logic Group
The past few years have been tough for UK retailers. Finally though, the economy is looking like it may have turned the corner: official figures show that recent growth has taken us past the pre-recession peak. This is without doubt great news but for many businesses, it’s a little too early to relax just yet.
Retailers know they cannot just sit back and hope to reap the rewards of the economic upturn. It’s important they continue to seek out ways to cut operational costs so as to ensure they remain competitive and maximise profitability. However, with competition for customers so fierce, they need to do so in such a way that it doesn’t diminish the overall customer experience: an increasingly critical factor in on-going customer loyalty.
Fortunately, for many retailers, the cost of compliance can be significantly reduced without negatively impacting on customer experience. The implementation of a Payment Card Industry (PCI) validated Point to Point Encryption (P2PE) solution for in-store card payments, enables businesses to cut their on-going costs and drastically reduce the time associated with their annual audit.
A PCI-validated P2PE solution is the only way retailers can take in-store cardholder data out of scope, with card data being encrypted before it even reaches the retailer’s Point of Sale (POS). The corollary of this is that businesses’ annual PCI audits are made significantly easier and streamlined, with the total number of questions reduced from more than 250 to a considerably more manageable 18. This creates a significant resource saving for businesses, delivering a much more efficient process. In fact, it is estimated that the correct implementation of a PCI-validated P2PE solution can reduce on-going costs by around 50%.
Above all, P2PE enables retailers to minimise the risk of a data breach, which would compromise customer cardholder data. In terms of customer confidence, an incident of this nature could be catastrophic, completely ruining their relationship with a brand. The icing on the cake of a P2PE solution is that for the consumer, everything is business as usual.
Although P2PE is on many retailers’ agendas already, one thing that has become increasingly clear is that there is some confusion amongst retailers as to whether they have PCI-validated P2PE solution in place already. This stems from the fact that although vendors have been offering P2PE solutions for some time, the PCI Council only issued guidelines and started validating solutions in 2011 with the first validated solutions being available last year. As such, retailers may think they have a fully validated P2PE solution but in actuality this is not the case. Consequently, they aren’t receiving the cost and resource savings that a proper PCI-validated solution brings. Our clear advice to retailers seeking to realise the cost savings from having a P2PE solution is to check whether their solution is validated on the PCI website.
This alone should be reason enough for businesses to pursue a validated solution. What’s more is that if they don’t, they’re actually at risk of incurring additional costs in the form of fines from their acquirers for not having one in place.
Once a business has its validated P2PE solution in place, the next step is to ensure it is accredited by their industry Qualified Security Assessor (QSA). As part of this they will be required to adhere to a Solution Provider’s P2PE Instruction Manual (PIM). The PIM will outline the processes a retailer should implement in order to guarantee compliance, such as the proper handling of PIN Entry Devices (PED). The PIM will also detail a provider’s suggestions for operational procedures and best practice when using a P2PE solution. Nonetheless, it’s important that a retailer discusses this with its QSA to find the options that meet the specific needs of their business best.
In May 2013, the Payments Card Industry Security Standards Council (PCI SSC) announced that The Logic Group was the first company worldwide to achieve P2PE application validation and in November 2013, our Solve DataShield P2PE solution achieved global validation by the PCI SSC. At present we offer one of only three PCI-validated solutions on the market.
P2PE solutions are a great option for retailers looking to minimise costs but only when implemented correctly. A comprehensive P2PE offering can save you the time and money, ensuring you can focus on delivering great products and experiences to your customers. However, if your solution isn’t PCI-validated, you’re not only missing out on significant savings; you’re exposing yourself to additional costs.