CONTINUE TO SITE »
or wait 15 seconds

News

The Gruelling Uphill Climb To PCI Compliance

During my research for this article, I kept finding the phrase “the ugly truth” used in conjunction with data breaches and compliance with the Payment Card Industry Data Security Standard (PCI-DSS). After going through our data incident last summer, I can attest to the fact that the remediation process is ugly, painful and a drain on resources. I thought I knew what PCI compliance entailed and how to protect our operators and consumers. The reality was, as prepared as we were, some criminal mind out ther...

July 23, 2018 | Jim Brinton – Chief Executive Officer, Avanti Markets

Summarize withChatGPTGrokPerplexityClaude

During my research for this article, I kept finding the phrase "the ugly truth" used in conjunction with data breaches and compliance with the Payment Card Industry Data Security Standard (PCI-DSS). After going through our data incident last summer, I can attest to the fact that the remediation process is ugly, painful and a drain on resources.

I thought I knew what PCI compliance entailed and how to protect our operators and consumers. The reality was, as prepared as we were, some criminal mind out there was working to penetrate all of our blockades and firewalls to get to the payment card data.

And we weren't the only ones. In 2017 alone, it was reported there were 1,579 data breaches, a 44.7% increase over the record set during 2016, which itself experienced a 40% increase over the previous year. And those numbers don't include the number of breaches that haven't been discovered yet.

What Happened

Last year, in an effort to lead the industry in payment security, Avanti Markets had mandated that all of the kiosks in our network be upgraded to a state-of-the-art, encrypted payments device that tokenized every transaction that included cardholder data. We believed so much in this direction that we committed over $1 million of our own money to ease some of the financial burden of this effort on the members of our operator network. The device we chose is validated to meet all the data security standards dictated by the Payment Card Industry Security Standards Council. We were more than 50% installed when a hacker came through a "back door" and infected several of our kiosks with a new version of malware that had never been reported before.

The Recovery Process

During the past several months, Avanti Markets has gone through painstaking efforts to requalify for PCI compliance at the elevated status of a Level 1 Merchant of Record. PCI compliance has 12 main requirement categories that contain a total of almost 300 requirements.

Prior to beginning the recertification process, we engaged an independent cyber risk consultancy to assess, validate and advise on changes to our current environment. This comprehensive engagement investigated our total environment, including our physical property, the training of our people, our information technology systems, and our applications. The consultants provided several positive recommendations to prepare us for the certification process.
It's interesting to note that point-of-sale (POS) software falls primarily under the sixth requirement category of the PCI standards, which is "Develop and Maintain Secure Systems and Applications." The other 11 requirements hardly mention software.

A few specific examples of the PCI requirements include:
• Deploy and maintain a firewall between the credit card environment and public networks.
• Test your systems quarterly for vulnerabilities both externally and internally.
• Manage the access your employees have to sensitive data.
• Train your employees upon hire and once a year thereafter about how to handle credit cards safely.

PCI Compliance: The Truth

Having secure software is important, but it's not sufficient for PCI compliance. If you process credit cards through your POS software, you will require a number of formal processes and policies too. Businesses that fall under this model must understand that software alone – even if it meets the PCI requirements as dictated by PA-DSS (Payment Application Data Security Standard) – does not make your environment PCI-compliant. Claiming to be "PCI compliant" solely on the basis of software applications is false advertising. Table 1 (below)  summarizes the differences between PCI-DSS certification and PA-DSS validation.

 Table 1
Comparison of Payment Application and Payment Card Industry Data Security Standards
MILESTONES TO MEET DSS v.3.2 STANDARDS PCI-DSSPA-DSS
 1.Secure payment card applications.
 2.Remove sensitive authentication data and limit data retention.
 3.Protect systems and networks, and be prepared to respond to a system
breach.
 4.Monitor and control access to your systems.
 5.Protect stored cardholder data.
 6.Finalize remaining compliance efforts and ensure all controls are in place.



Moving Forward

After hundreds of man-hours and countless tests and remediation and retests, Avanti Markets is proud to announce that we have completed the rigorous process and expect to receive our Report of Compliance (ROC). The ROC is the mandatory report from an independent qualified security assessor that has audited Avanti Markets and its organization against almost 300 items listed in the PCI standards. As part of the ROC process, we will receive our Attestation of Compliance (AOC) that Avanti Markets, from its staff through all its systems and processes, meets all the standards and is truly PCI-DSS certified.

With our back doors closed and locked, our continuous and regulated testing of our systems and personnel, and the heightened awareness of how a company can be violated (from our own experience), we are primed and ready to continue the innovative, operator-focused development that has made us the premier micromarket provider for the independent operator.

We remain ever more dedicated to our operators and their consumers and will continue to employ every tool to keep all levels of the organization safe, secure, and protected.

------------------

» JIM BRINTON presently oversees  Avanti Markets Inc., Avanti Markets Northwest and Evergreen Vending. Long active in the industry, he has served as president of the Northwest Automatic Merchandising Association and as chairman of the National Automatic Merchandising Association in 2008 and 2009; NAMA has honored him as Industry Person of the Year. He serves in numerous other board of directors positions, and frequently speaks at industry advocacy and educational events.

»»»»»»

Related Media

Recent Posts
Pennsylvania jail offers books for young visitors
Self-service reshaping retail in Australia
Australian airport adds seafood vending machine
Spain’s fruit law could harm vending operators
BYU students unveil “dating” vending machine


©2026 Networld Media Group, LLC. All rights reserved.
b'S2-NEW'