Challenges of PCI and Remote Offices

By Jessica Lavery-Pozerski, PR Manager

While complying with PCI standards does not necessarily mean an organization's network it adequately secured, compliance is still a challenge all companies that accept credit card information must meet. Understanding and then creating policies that ensure compliance can be difficult enough for an organization. But when you add the challenge of complying to these standards at all remote locations a new level of complexity arises.

The very nature of PCI regulations means compliance will affect organizations with multiple locations, like franchises, retail and wholesale stores, banks, credit unions, as well as restaurants and other consumer-facing businesses, because they are the organizations most likely to touch credit card data. It is not enough for these organizations to create security policies and compliance procedures for their main offices or flagship store. These businesses must also circulate these policies, guidelines and efforts among all their branches and then update each branch's policies when a change is made. This can be very time consuming, especially when it comes to PCI compliance.

Adding to the headache of keeping all of an organization's branch offices compliant to the already confusing and complicated task of creating PCI compliance rules for an organization makes PCI compliance almost unbearable. It is unrealistic to expect an organization such as a bank or retail store to have dedicated IT staff, let alone a security expert, at each locations. The costs associated with doing so are too high and, despite its complexity, there aren't enough tasks to sanction having an IT employee at every retail store.

Additionally, PCI standards require organizations to regularly "test security systems and processes" as well as "track and monitor all access to network resources and cardholder data." With store fronts and office locations spread across countries and continents, regularly testing systems may take a backseat due to budget constraints.

Despite this, all branches must be PCI compliant or they risk a lot of penalties, the worst of which is losing their ability to accept credit cards as a form of payment. That would effectively make it impossible to run a business.

With ignoring the standards no longer an option, there are two remaining options these organizations have for dealing with PCI standards. The first is to roll out individual security products at each location. This requires sending IT staff to each location to set up and configure the devices. Then each time a new security policy is created, the IT expert must travel to all the sites and reconfigure each device. Of course the business could elect to hire an IT professional at each site for the sole purpose of managing the site's security, but again, in many cases this is not an economical solution.

The second option would be to manage all security through a centralized point (i.e., headquarters) using a single security device and connection points at each office. The challenge there is connecting all branches to the central office, no small task when some offices may be oceans away. Even a distance of a few miles would make connecting the branch office to the headquarters difficult without the right technology.

The right technology will connect and secure the remote locations and provide the IT staff at the headquarters or central office to control PCI related policies as well as all other security policies. This tool would have to be simple to set up so that any employee at a retail store or credit union branch could install the device themselves, eliminating the need for IT staff travel.