Information security programs are notoriously difficult to implement. They are likely to cost money or negatively impact business operations or both. Business leaders want to think about making more money or reducing costs.
Info-sec projects typically are sold on the "risk avoidance" platform, which is not the best political platform to be campaigning on. When it comes to difficult business cases, sometimes you need to package your projects differently—like, say, a tokenization program disguised as a loyalty program.
There is no doubt that one of the best ways to fight credit-card security issues within a retail environment is to remove the credit-card numbers from the system. As a retail CIO, you have fought the good fight with PCI for years, and finally tokenization has become a reality. You anxiously present the tokenization business case to the executives, only to get shot down in under 15 minutes. "We are already compliant without this, right? Why would we spend additional money for every transaction when we already pass the test?" You fight back with the "secure vs. compliant" argument but only dig a deeper hole. "The PCI rules are ridiculous and change almost every day. We are not spending any more money on PCI than we absolutely have to."
A month later, you are back in front of the same executives. The marketing chief is talking about how your brand needs a new, leading-edge loyalty program. You offer up that there is new technology in place that will enable your brand to create a loyalty system without forcing customers carry another plastic card, tag or smartphone application. You can simply and safely use the consumers' credit-card numbers to track their purchases. "It is even PCI compliant," you throw in for good measure. You leave out the fact that this technology is called "tokenization" and focus on the benefits of a credit-card-based loyalty solution. Now you've got everyone's attention, and they want to know more.
First, a rant: I find it ridiculous that in today's payment environment tokenization is being sold at an additional cost over traditional payment processing. It is in everyone's best interest to secure these transactions as much as possible. The fact that merchants are being charged more to implement a system that, frankly, should have been designed this way from the start is beyond laughable. But hey, the payment industry is the technology equivalent to the Twilight Zone.In itself, a tokenization solution is not a loyalty platform, but it is one element of a foundation for one. Figuring out how to track customer purchases for loyalty offers is one of the most difficult components of building a loyalty program. Asking customers to carry a piece of plastic is so 1990s.
That being said, tokenization is a great place to start. First, you must make sure that your tokenization vendor provides a consistent token for a credit-card transaction. Next, the token is only the identifier. You must build or buy a campaign management system that does something with that identifier.
You must also be careful about how and if you implement Track 2 data (hint: don't). Although it may be tempting to leverage the Track 2 data for customer information other than the PAN, Track 2 data is still considered card data and, therefore, is covered by PCI. It may hurt, but you need customers to provide their data again—just like you would with any other loyalty program.
Doing so is a good idea for two reasons: First, it enables customers to implicitly opt-in to loyalty offers versus being freaked out that you are tracking their purchases. Second, it enables you to capture their cell-phone numbers, which are critical for a mobile loyalty offering.
Finally, you need to work with your POS provider (or some other point of purchase technology) to build a redemption system for your loyalty platform. This enables you to build a closed-loop system that, in turn, enables you to quantitatively track the ROI of your loyalty marketing campaigns.
Warning: By implementing this marketing system you may increase your information security. It is strongly recommended that you utilize hardware encryption to implement your new loyalty solution. Side effects may include reduced PCI scope. Consult your QSA if your PCI scope does not reduce after implementing.
What do you think? If you disagree (or even, heaven forbid, agree), please comment below or send me a private message. Or check out the Twitter discussion on @todd_michaud.