PCI Compliance: Who's Re-Minding The Store?

Guest Columnist David Taylor is the Founder of the PCI Knowledge Base, Research Director of the PCI Alliance and a former E-Commerce and Security analyst with Gartner.

Internal audit is not staffed to enforce PCI at the store level. Except for about a dozen leading retailers, most retailers do not have enough IT-skilled internal auditors to meet the requirement for a "continuous" review of store-level IT security.

Since almost no one can afford to add another group of people with both auditing skills and IT skills, nor can most retailers afford to pay consulting firms to do this, I tend to recommend very specific PCI audit training courses for your internal audit staff. One way to do this is to send them to the same two day course that PCI auditors go through.

Another, less expensive, approach is to send one person to such a course and then do your own internal PCI audit training course. The other advantage of this is that you will be able to gradually broaden your base of "security aware" persons. That's one of the techniques I have seen leading merchants use to successfully build a "culture of security" that extends to the stores.

Was talking with two senior executives recently, and they talked about a "culture of security." They argued articulately that if upper management signals to the organization they care about protecting customer information, then they can use it to differentiate their company in the marketplace. While I agree, I tend to find that this works well at corporate but the message doesn't seem to make it to the stores.

As we've seen with the PCI Knowledge Base, which we're doing with the National Retail Federation, this is a key issue. When I ask about store-level security and compliance, I find there is universal agreement that there are far more vulnerabilities at the store level and far less review of those vulnerabilities, either by internal staff or by PCI assessors.

Most retailers need to define an incentive program to enforce policies. About two months ago in this column, I wrote about the importance of "deputizing" store managers to watch for security breaches. Since then, it's become clear that in order to change the culture, retailers have to provide incentives to these "deputies" in order to actually impact key metrics such as shrinkage, fraud and chargeback rates.

The other important technique is to link the PCI compliance initiative to these same security metrics. For example, a PCI project manager who wants to "embed" PCI compliance into the corporate culture would be well advised to spend about 20 hours, spread over several weeks, to create a presentation for management that shows how PCI compliance can not only reduce risk but also impact key financial metrics such as fraud and chargeback rates.

Three PCI managers who also own fraud management and report into the CFO, have said that linking PCI compliance to financial performance is a great way to get executive attention and budget. And since all these metrics are key to individual store performance, this is one of the ways to gain the support of store management for PCI compliance—circling back to the whole "deputize" argument.

Get rid of confidential data, permanently. The goal is to remove all credit card and other confidential data from the stores, rather than to advocate a particular card processing schema. Even as you work to build a culture of security and proliferate it to the stores, you will probably need to do more than segment your networks to reduce your liability long term.

Leading retailers as well as educators need to shift their focus from data protection to data elimination. In some cases, retailers are simply not collecting the data in the first place. But it's more common to hear leading retailers talk about replacing card data at the POS with surrogate data or hashes or partial masking, so that the full numbers cannot be retrieved.

These techniques will (according to most PCI assessors) greatly reduce the assessment scope, as well as the risk. Outsourcing payment processing will also do this, but you're shifting the risk rather than eliminating it.

Re-engineering card number-dependent applications and processes takes time. But the leading retailers like to point out that they've known about this problem for at least 4 to 5 years. They say what sets them apart from others is that they began working to permanently eliminate the data (and the associated risk) back in 2004 and 2005, while other retailers postponed addressing the problem until faced with fines from their acquiring bank.

For retailers just now getting PCI compliant at corporate, you want to work to involve the stores ASAP via an online, intranet training program, and using some of the other techniques described above.

If you're a retailer, we want to get you involved in the best practices study we're doing for the National Retail Federation. If you'd like to participate, send me an E-mail at [email protected].