NRF Announces Best Practices for PCI Compliance

Press enter to search
Close search
Open Menu

NRF Announces Best Practices for PCI Compliance

NEW YORK -- The National Retail Federation (NRF) released the first installment of Best Practices for PCI developed in cooperation with PCI Knowledge Base. This release contains 25 best practices providing guidance to companies on how leading retailers are addressing all of the requirements outlined in the PCI Data Security Standards.

"NRF’s PCI best practices are an excellent primer for any retailer to understand what their peers are doing to assure PCI compliance," said John Polizzi, CIO and senior vice president of BJ’s Wholesale Club. "It provides a solid foundation to build an overall strategy for addressing their

critical concerns related to protecting sensitive information."

The Best Practices were developed based on more than 300 hours of anonymous interviews with key retail executives and other industry leaders, including contributions from BJ’s Wholesale Club, Yum! Brands, Saks, Burlington Coat Factory, IBM, Microsoft, PCMS and many others. The PCI Best Practices will be available on the NRF and PCI Knowledge Base Web sites to members, NRF reported.

"These PCI best practices were created with input from many organizations," NRF CIO Dave Hogan said in a released statement. "They provide a road map that will assist retailers to more cost-effectively achieve and maintain PCI Compliance. As the requirements for PCI change, so too, will the best practices."

Key PCI Best Practices, designed to help retailers achieve "cost-effective compliance," include:

-- The use of tokenization solutions to centralize card data and reduce the number of systems in PCI scope.

-- Training for retailers to conduct their own self-assessment to reduce costs and drive compliance toward a risk-based model.

-- Implement low-cost, consistent service provider security evaluations to manage the security risk of outsourcing.

The Best Practices are presented in a summary matrix with details for each. Each provides:

-- Description of the best practice;

-- How much retailers are typically spending to implement the best practice;

-- How much implementing the best practice could reduce costs, based on experiences of leading retailers;
-- What department within the retailer typically manages implementation of this best practice;

-- Which PCI requirements the best practice addresses;
-- Current implementation of the best practice by F1000 vs. SME retailers;

-- Potential value (applicability) of the best practice -- or what percent “should” implement the best practice; and,

-- The opportunity gap: the difference between the current implementation and potential implementation.

"The best practices outlined complement the PCI Data Security Standards," said David Taylor, founder of the PCI Knowledge Base and developer of the research in a released statement. "These standards tell retailers what to do, and these Best Practices tell retailers how retail industry peers actually implement the standards in practice."