The Exchange is the Gold Standard for Securing Cardholder Data
The Exchange has successfully completed its Payment Card Industry (PCI) assessment, earning a clean Report on Compliance (RoC) with no compensating controls for the 15th year in a row. That’s a major achievement.
But before you start celebrating, you might ask, “What exactly is a PCI assessment and why does a clean RoC matter?”
What is the Payment Card Industry?
The Payment Card Industry is a global network that enables secure electronic payments using credit, debit or prepaid cards. To maintain security across this ecosystem, the industry established the PCI Data Security Standard (PCI DSS), which sets the benchmark for protecting cardholder data. This is especially important for Exchange shoppers, including MILITARY STAR cardmembers.
What is a PCI Assessment?
“A PCI assessment involves an independent review of our systems, processes and environment by a Qualified Security Assessor (QSA),” said Exchange IT Policy & Planning Manager Tom Giangreco II. “The QSA tests controls, conducts interviews, reviews documentation and gathers evidence. The assessment is specifically focused on protecting payment card data and is governed by the PCI Security Standards Council.”
Before the formal assessment, a pre-assessment is conducted to identify a location that is well-prepared and capable of demonstrating compliance. This year, the Fort Carson Exchange in Colorado was selected. It had not been previously assessed, and its diverse operations made it an ideal location.
Who leads the charge for compliance?
PCI compliance is a shared responsibility. A cross-functional team drives the effort, including Store Operations, IT, Loss Prevention and FMO. Field leadership and frontline associates also play a critical role because protecting cardholder data is everyone’s responsibility.
Exchange Vice President and Chief Information Security Officer David Adams credits Exchange teams in HQ and Colorado for their roles in the successful assessment, singling out Giangreco, Information Assurance Program Manager David Cline, Exchange Business Analyst Helen Boyce and IT Policy & Risk Specialist Russ Marshall for their early and thorough preparation, which ensured a smooth and timely evaluation.
What does a RoC with no compensating controls mean?
A Report on Compliance is a formal document completed by a qualified security assessor that summarizes the results of the PCI DSS assessment. It’s required for merchants and service providers, like the Exchange, that process more than 6 million card transactions annually.
If a company cannot meet a specific PCI DSS requirement because of technical or business constraints, it must implement compensating controls. This means that an alternative security measure is suggested to provide equivalent protection. For example, if an organization cannot install a firewall because of budget limitations, it must deploy multiple layered security measures to achieve the same level of defense.
When the Exchange receives a clean RoC with no compensating controls, it means every requirement was met directly and without exception. That’s a clear indicator of operational excellence and security leadership.
How does PCI impact in-store and online payments?
“The PCI standards influence every aspect of operations, from securing point-of-sale systems to encrypting and transmitting payment data and even training team members,” Adams said. “In stores, this means deploying tamper-resistant terminals and ensuring card data is never stored. Online, it involves secure platforms, tokenization and continuous threat monitoring. Across all channels, strict and thoroughly tested procedures are followed to protect cardholder information.”
