To be clear, the credit- and debit-card data sharing that Sears is accused of sharing happened between Sept. 9, 1995, and June 22, 2001, long before PCI even existed. But such a thing could never happen today, in our PCI-compliant environment, right? Think again, Breach Boy.
As Dave Taylor's PCI column this week articulates wonderfully, renegade marketing programs using live payment card data are still alive and well.
In some cases, marketing units use older data and IT is never aware of it. Forever 21 ran into this problem last year, when a data breach grabbed about 100,000 credit and debit cards including transactions from 2003 through 2005, which were stored on a corporate data center, apparently in violation of PCI rules. The data had been used for a system trial and was then forgotten.
The practice of marketing using such data is common, but many of the problems can be traced to attitude and policy. Even though marketing often needs—or thinks it needs—payment card data, how often is marketing invited into PCI meetings? Do marketing officials try to bone up on PCI themselves?
Other things to consider: When marketing asks for payment data to analyze, are they given the data outright or are they offered alternatives? And if true payment data is provided, does IT monitor its use and make sure that it's properly deleted at the end of the analysis? Does IT offer to run the analysis itself, as a service for marketing and also as a nice-sounding way to guarantee that the data is kept in a PCI compliant fashion?
One of the more pernicious problems with PCI assessments is that are indeed assessments (focused on asking questions) rather than audits (focused on independent examinations). There are certainly elements of both, but the flaw with the question approach is that, even if the IT executive responding is being fully honest, they only reveal that which they know. If some other department has "borrowed" data without the IT Director's knowledge, no questionnaire would reveal that.
In the Sears case, the payment card data exchange was a convenience. It was to make it easier for the marketing partner to sell services, of which Sears got a cut. And the inclination—even today—to use payment card numbers as customer identification numbers is still rampant.
The only way to truly address this is to let IT be in command of all uses of payment card. That data can be shared with other departments—with the CIO's or IT Director's permission—but an IT person must be involved from beginning to end. Yes, like overworked and layoff-prone IT departments have the time for such things. It may be difficult, but it's the only way to minimize payment card surprises—along with fines and lawsuits—later on. In case you've forgotten, IT will get blamed at that point, no matter who did what, so you might as well take charge now.