New York, January 12, 2009—The National Retail Federation announced today the release of the first installment of Best Practices for PCI developed in cooperation with PCI Knowledge Base. This release contains 25 best practices which provide guidance to companies on how leading retailers are addressing all of the requirements outlined in the PCI Data Security Standards.
The Best Practices were developed based on more than 300 hours of anonymous interviews with key retail executives and other industry leaders, including contributions from BJ’s Wholesale Club, Yum! Brands, Saks, Burlington Coat Factory, IBM, Microsoft, PCMS and many others. The PCI Best Practices will be available on the NRF and PCI Knowledge Base websites to members.
“These PCI best practices were created with input from many organizations,” said NRF CIO Dave Hogan. ”They provide a road map that will assist retailers to more cost-effectively achieve and maintain PCI Compliance. As the requirements for PCI change, so, too, will the best practices.”
Key PCI Best Practices, designed to help retailers achieve “cost-effective compliance,” include:
The use of tokenization solutions to centralize card data and reduce the number of systems in PCI scope
Training for retailers to conduct their own self-assessment to reduce costs and drive compliance toward a risk-based model
Implement low-cost, consistent service provider security evaluations to manage the security risk of outsourcing.
The Best Practices are presented in a summary matrix with details for each. Each Practice provides:
Description of the best practice
How much retailers are typically spending to implement the best practice
How much implementing the best practice could reduce costs, based on experiences of leading retailers
What department within the retailer typically manages implementation of this best practice
Which PCI requirements the best practice addresses
Current implementation of the best practice by F1000 vs. SME retailers
Potential value (applicability) of the best practice – or what percent “should” implement the best practice
The opportunity gap: the difference between the current implementation and potential implementation
“The best practices outlined complement the PCI Data Security Standards,” said David Taylor, founder of the PCI Knowledge Base and developer of the research. “These standards tell retailers what to do, and these Best Practices tell retailers how retail industry peers actually implement the standards in practice.”
“NRF’s PCI best practices are an excellent primer for any retailer to understand what their peers are doing to assure PCI compliance, said John Polizzi, CIO SVP BJ’s Wholesale Club. It provides a solid foundation to build an overall strategy for addressing their critical concerns related to protecting sensitive information.”
Attendees at the NRF Annual Convention can review the Best Practices and speak with David Taylor in the ARTS Pavilion booth 1859 on the exhibit floor. Also Perry Kramer, Vice President of BJ’s Wholesale Club, will present some of the ways BJ’s has used many of the Best Practices to reduce costs in the ARTS Update Sunday at 10:15 in room 1A07-08.
NRF’s Annual Convention and EXPO serves as the world's leading retail event, bringing 18,500 retail executives and vendors from more than 50 countries together for educational and networking opportunities. NRF’s EXPO floor, open on Monday and Tuesday of the Convention, hosts more than 500 exhibiting companies and features a one-of-a-kind DESiGN STUDiO. NRF's Convention is ranked as one of the Top 200 events in North America, as well as one of the 50 fastest-growing events, according to Tradeshow Week.
The Association for Retail Technology Standards of the National Retail Federation is an international membership organization dedicated to reducing the costs of technology through standards. Since 1993, ARTS has been delivering application standards exclusively to the retail industry. ARTS has four standards: The Standard Relational Data Model, UnifiedPOS, IXRetail and the Standard RFPs (in partnership with NRF). Membership is open to all members of the international technology community-- retailers from all industry segments, application developers and hardware companies.