Are Your Stores Worth Stealing From?

Guest Columnist David Taylor is president of the PCI Alliance and a former E-Commerce and Security analyst with Gartner.

Some of the most surprising findings from the PCI Knowledge Base, concern store-level security. Apparently, some PCI assessors don't believe that retail stores are worthy targets for payment card fraud. That's a logical conclusion drawn from the fact that some retailers are passing PCI audits without the assessors visiting a single store.

Over the past few weeks, I've spoken with nearly a dozen retailers who told me that their PCI assessors conducted either no store audits at all, or visited only a few stores, often completing the audits in less than a half hour. Some argued that by not auditing their stores, the assessors were being lax, while others said that the lack of store audits was key to helping them pass the PCI audit.

I have also interviewed a half dozen PCI assessors and discussed this issue. Their argument is simple: the focus of PCI compliance is on large concentrations of credit card data because such places represent the highest risk. So auditors spend much more time ensuring the safety of corporate databases, T-logs and other places where card data tends to "congregate." Besides, they argue, many retailers "put their best foot forward" during store audits, which masks any problems that do exist and render store audits largely useless.

So how do we spot store-level data security risks before they turn into security breaches? Who owns this problem? I've talked to some retailers where Loss Prevention has taken on store-level PCI compliance as part of their regular audits, but most LP departments have very limited IT skill sets, so this rarely works. At other retailers, PCI is managed out of the IT department, and we all know how much IT people like going into "the field," so that rarely works, either. In still other cases, there's a separate Compliance function that owns SOX and PCI, HIPAA. Most of these people are lawyers or "wannabe lawyers" who rarely show up at meetings let alone visit the stores.

If you actually want to get in front of store-level breaches before they occur, you are going to have to "deputize" the store manager (or, preferably a slightly geeky assistant manager) and specifically train them to spot things such as PIN pad tampering or skimming, employee password sharing, the presence of rogue wireless networks, and modifications to any of the security controls that are "supposed" to be turned on, but sometimes aren't.

One of the best practices is for whomever owns PCI at corporate to do a series of regular training sessions with store management – not just the store managers but the assistant manager who is "deputized" to own data security. A monthly conference call, an incentive program for the "deputy" manager with the best ideas and dollar rewards for anyone who actually spots potential loss or fraud. Maybe all that sounds obvious. But if it is, why aren't more retailers doing it?

Guest Columnist David Taylor can be reached at [email protected]