NRF Announces Best Practices for PCI Compliance

• The use of tokenization solutions to centralize card data and reduce the number of systems in PCI scope
• Training for retailers to conduct their own self-assessment to reduce costs and drive compliance toward a risk-based model
• Implement low-cost, consistent service provider security evaluations to manage the security risk of outsourcing

The Best Practices are presented in a summary matrix with details for each. Each Practice provides:

• Description of the best practice
• How much retailers are typically spending to implement the best practice
• How much implementing the best practice could reduce costs, based on experiences of leading retailers
• What department within the retailer typically manages implementation of this best practice
• Which PCI requirements the best practice addresses
• Current implementation of the best practice by F1000 vs. SME retailers
• Potential value (applicability) of the best practice — or what percent "should" implement the best practice
• The opportunity gap: the difference between the current implementation and potential implementation

"The best practices outlined complement the PCI Data Security Standards," says David Taylor, founder of the PCI Knowledge Base and developer of the research. "These standards tell retailers what to do, and these Best Practices tell retailers how retail industry peers actually implement the standards in practice."

"NRF's PCI best practices are an excellent primer for any retailer to understand what their peers are doing to assure PCI compliance, says John Polizzi, CIO and Senior Vice President of BJ's Wholesale Club. It provides a solid foundation to build an overall strategy for addressing their critical concerns related to protecting sensitive information."