PCI Vendor Survival Strategy: Shift From Fear To Greed

In very early January, residents of New Hampshire couldn't pull out of their driveways without running into a presidential candidate. That's how it is today with retail IT executives and vendors selling PCI compliance packages.

But, for better or for worse, that's not a long-term situation. Like the presidential candidates who had to fly South for the winter (or fly the coop entirely), these compliance salesfolk have a limited lifespan. Within the next year or so, retailers are going to shift from trying to become PCI compliant to having to maintain PCI compliance.

That shift will cause the ranks of the hordes of virtually undifferentiated PCI compliance outfits to consolidate, with most simply returning to a focus on some other security area.

At the same time this is going on, retailers are starting to intensify their investments in the next generation of in-store (and, to a much lesser extent, online) technologies. The fact that online is so much younger means that the Web infrastructure is generally in less of a dire tech makeover.

As this column has noted before, the vast majority of the tech enhancements that chains are considering for in-store—from mobile integration, smartcarts and PDA-like shopping assistance devices to enhanced self-checkout, queue busters, 2-D barcodes, NFC projects and contactless payment—involve wireless. There's only one thing in the retail world that is less secure than a wireless deployment: a wireless trial.

Retailers cut security corners with almost all technology trials so the prospects of dozens of retail chains in 2008 going to trial with tons of wireless experiments at the same time is nothing less than terrifying. For cyberthieves throughout the country, every day will be Christmas Morning.

Wouldn't be it be nice if these two kids could get together? To have some of the PCI compliance firms start looking at data beyond PCI? CRM, inventory or supply chain data, for instance, that has nothing to do with payment, at least not from a PCI perspective. And then taking the next logical steo and proactively help retailers deploy some of those profit-oriented efforts, but doing so in a secure manner, given their years (ok, weeks) of security experience.

This needn't be a shift away from appealing to retailers' baser elements. It would simply be a transition from selling fear to pushing greed. They would be marrying the eat-your-vegetables sexiness of security packages for the much easier to sell revenue-enhancing tactics that wireless is bringing.