PCI: It's Not Just For Payment Anymore

As retail CFOs begrudgingly approve extensive dollars to help with PCI accreditation efforts—even though many IT departments are using those dollars for projects that primarily have little to do with security—many are discovering that a program designed to protect payment data will also do a fine job at protecting almost any other kind of data.

With CRM systems trying to interact with Web analytics, mobile databases, purchase and returns histories and tons of other non-payment databases, the amount of non-credit-card data that is at risk easily dwarfs Visa transactions.

The same common sense guidelines that are the soul of PCI—dealing with wireless, encryption, knowing what you're retaining and retaining only what you need—can be widely extended. But the same checklist mentality that is PCI's weakness also pigeonholes PCI into only being used for payment, which is silly.

As much as the amount of data collected by retailers has soared in the last 15 years—coinciding with the emergence of the Web, which made retailers discover the much older Internet—that's a footnote compared with the data expansion likely to visit merchants in the next three years.

Why? Merged channel, mostly. As retailers mature beyond multi-channel into cross-channel and then into the final phase of merged channel, two things are going to have to happen.

First, every one of those channels will have to clean up its digital records-keeping act. For example, call center personnel will need to take extensive notes about every conversation and save it into the system, so that it can later be access by their in-store and online counterparts, let alone other call center people. In-store associates will have to get used to entering notes into a database every in-person customer interaction, too.

Secondly, those files will have to be made homogenous and then the floodgates will open for data-sharing. From the IT perspective, that is going to increase customer-specific data by an order of magnitude.

This data will be highly desired by cyber thieves and merchant rivals (there's a difference?). Conveniently, the same rules within PCI will protect everything else. But to make it work, it's essential to put those systems and rules into place now, before the next tidal wave of data.

It will be hard enough keeping up with that new data without having to also learn new privacy data-protection rules. Checklist security is far from ideal, but as an organizational guideline for merchants about to enter a very disruptive data period, it's actually not a bad start.