Skip to main content

NRF Announces Best Practices for PCI Compliance

The National Retail Federation releases the first installment of Best Practices for PCI developed in cooperation with PCI Knowledge Base. This release contains 25 best practices which provide guidance to companies on how leading retailers are addressing all of the requirements outlined in the PCI Data Security Standards.

The Best Practices were developed based on more than 300 hours of anonymous interviews with key retail executives and other industry leaders, including contributions from BJ's Wholesale Club, Yum! Brands, Saks, Burlington Coat Factory, IBM, Microsoft, PCMS and many others. The PCI Best Practices will be available on the NRF and PCI Knowledge Base websites to members.

"These PCI best practices were created with input from many organizations," says NRF CIO Dave Hogan. "They provide a road map that will assist retailers to more cost-effectively achieve and maintain PCI Compliance. As the requirements for PCI change, so, too, will the best practices."
PCI best practices
Key PCI Best Practices, designed to help retailers achieve "cost-effective compliance," include:
  • The use of tokenization solutions to centralize card data and reduce the number of systems in PCI scope
  • Training for retailers to conduct their own self-assessment to reduce costs and drive compliance toward a risk-based model
  • Implement low-cost, consistent service provider security evaluations to manage the security risk of outsourcing

The Best Practices are presented in a summary matrix with details for each. Each Practice provides:

  • Description of the best practice
  • How much retailers are typically spending to implement the best practice
  • How much implementing the best practice could reduce costs, based on experiences of leading retailers
  • What department within the retailer typically manages implementation of this best practice
  • Which PCI requirements the best practice addresses
  • Current implementation of the best practice by F1000 vs. SME retailers
  • Potential value (applicability) of the best practice — or what percent "should" implement the best practice
  • The opportunity gap: the difference between the current implementation and potential implementation

"The best practices outlined complement the PCI Data Security Standards," says David Taylor, founder of the PCI Knowledge Base and developer of the research. "These standards tell retailers what to do, and these Best Practices tell retailers how retail industry peers actually implement the standards in practice."

"NRF's PCI best practices are an excellent primer for any retailer to understand what their peers are doing to assure PCI compliance, says John Polizzi, CIO and Senior Vice President of BJ's Wholesale Club. It provides a solid foundation to build an overall strategy for addressing their critical concerns related to protecting sensitive information."

This ad will auto-close in 10 seconds