NRF + PCI = CIO Job Security

For retail CIOs, this is the worst of times and it is the best of times. It may be the worst of times because the emergence of smartphones at the POS, the increase in the amount and availability of customer data, and the growing tokenization and end-to-end (E2E) encryption options may have CIOs (and their QSAs) reaching for the aspirin bottle. On the other hand, it may be the best of times because the CIOs who can address these challenges will be rock stars in their companies.

At the National Retail Federation (NRF) show this week, several vendors were pitching payment card readers (and other peripherals) that could attach to a smartphone, thereby converting it into a POS device. Some of the readers are already PCI PTS approved. With one of these and a Blackberry, merchants can move the POS from a fixed counter to anyplace inside--or even outside--their stores. And the best part is that merchants can have this wireless capability for a price far less than current wireless POS devices offered by most manufacturers. I can think of several merchants I work with that will be looking at these devices very seriously.

But the PCI implications are complicated. An audience question at the 2008 PCI Annual Meeting probed whether iPhones and Blackberry devices would be in scope for PCI. The response from the Council staff (and many others in the audience) was that this question was a pretty far out, because nobody could figure out how or why these devices would ever be in scope. Everyone was thinking only about using smartphones to access stored cardholder data--not to generate the data.

The present DSS can address these hybrid devices (e.g., secure communication, encryption), but, as a QSA, I might have additional concerns. The smartphones will, presumably, be used for other purposes. We already have examples of viruses and other malware successfully targeting smartphones. Simply protecting the card reader and PIN pad attachments may not be enough to ensure the bad guys don’t compromise the smartphone itself, which would lead to a data compromise. I’m sure the vendors have answers for merchants and their QSAs, but I just haven’t yet heard them.

While in New York, I heard a lot of CIOs talk about balancing the pressure to open systems and databases to more internal users with the need to protect the data. This balancing act will get more interesting as the volume of customer data expands. Note: In the security world, “interesting” is not a nice thing.

One CIO said that “95 percent of our customers are known to us,” which told me there could be a whole lot of personally identifiable information (PII) floating around in companies’ databases.

The issue of PII and data protection is old hat. Nearly every state now has some kind of data breach notification law. I hope CIOs are looking at PCI as a way of protecting all kinds of PII and not just cardholder data. I have to believe thoughtful CIOs are doing this, and that they are having their QSA take a look at and/or train some of their staff on how the DSS can be more broadly applied. You are already doing the work for your cardholder data. It has to make sense to use the same tools for all of your other PII, too.

Unfortunately, applying PCI to the broader collection of PII sets the stage for another dilemma. More people will want and need access to all kinds of customer data. Yet a principle of PCI is limiting access to who can see the data and how much they can see. What’s a CIO to do?

My guess is that each company will make tradeoffs based on business requirements. The one thing that is beyond discussion, in this QSA’s opinion, is that the CIO owns the data. The reason I say that is because in response to a question about who owns the data, I heard someone say “Everyone owns it.”

Unfortunately, the reality is that when everyone owns something, no one owns it (If you don’t believe me, walk into a public lavatory some time). Everyone may have an interest in the data, but reality dictates that there is only one owner and that owner is the CIO.

On the NRF expo floor, I asked several software and hardware vendors plus bank acquirers and card processors what were they hearing from the other attendees (versus what they were pitching). I was pleasantly surprised when they said people were asking about PCI and how the vendor’s product could help the merchant get compliant. “You hear PCI everywhere,” one said.

Both tokenization and E2E encryption technologies were well represented at the NRF conference. At a retail CIO workshop before the NRF (where I participated in a panel discussion), two-thirds of the attendees said they were exploring not one approach but both tokenization and E2E technologies to help with PCI compliance. The number who said they were solely doing tokenization was—not surprisingly—zero.

Another sign that the technologies are maturing is that I didn't hear any vendors on the expo floor overpromising. Every single one that I heard from emphasized that it could only reduce--often dramatically--a merchant’s PCI scope; not one vendor promised a silver bullet.

I am a fan of both tokenization and E2E encryption, but only when properly implemented. Each has advantages. There seems to be two general approaches to tokenization: generate a unique token for each transaction or generate an identical token if the same card is used again.

Although either can do the job, it seems the latter approach may lend itself more easily to replacing cardholder data (e.g., PANs) in velocity checking and CRM systems and, ultimately, to removing those systems from PCI scope. Because the goal is to minimize PCI scope, this latter approach may be the easier path to taking more systems out of scope if you are looking at tokenization.

I’d like to hear what you think. Were you at the NRF expo? What did you hear about PCI? Are you looking at tokenization and E2E encryption? If you had to skip the “Big Show” this year, what did you miss? Do you plan to be the database rock star of your company? Leave a comment or E-mail me at [email protected] I want to hear from you. And special thanks to all of you who have left comments or sent me E-mails.