Stores Magazine - October 2007 - (Page 32) EXECUTIVE SUITE / COVER STORY tion for consumers by ensuring that merchants met minimum levels of data security. In the interest of simplifying the process, the card companies came together in December 2004 (along with Tokyo-based JBC Company) and aligned their individual policies to create PCI DSS, a worldwide data security standard that applies to any merchant or organization that stores, transmits or processes cardholder data. The security standard is maintained and updated by the PCI Security Standards Council, with Visa taking the lead in managing compliance enforcement. The Council has outlined 12 requirements for data security, including: install and maintain a firewall; do not use vendor-supplied defaults for system passwords and other security parameters; protect stored data; encrypt transmission of cardholder data and sensitive information across public networks; and use and regularly update anti-virus software. Still, the 12 requirements, referred to in industry circles as the “digital dozen,” belie a list of more than 200 controls that retailers are required to carry out. Since 2005, compliance deadlines have come and gone, and initial threats to impose onerous fines on non-compliant businesses have eased a bit. Still, merchants say that fines and the threat of increased transaction rates for non-compliance remain a key concern. While Visa declined to be interviewed for this story, Eduardo Perez, vice president of Visa USA, told NRF’s CIO Council that the fines are not intended to cripple a company but rather to act as an incentive. Resolve to change ob Garf, vice president of retail strategies for Boston-based AMR Research, insists it’s important that CIOs not view PCI as something they merely need to check off their “to do” list. “It presents an opportunity to look at data management, security and access controls and to enact standard processes around these procedures,” he says. Garf acknowledges the challenges retailers face in working toward compliance goals. “Close to 60 percent of retail software programs in use today are legacy or customized packages, which makes compliance especially difficult,” he says. Garf also is quick to point out that compliance comes at a cost: Research AMR conducted earlier this year found that CIOs anticipated spending on security and compliance to increase 38 percent from 2006, with PCI compliance grabbing the biggest share. “CIOs have a right to be cranky, but the reality is that there are security issues that we as an industry need to resolve,” Garf PCI is about developing comprehensive processes for the logical treatment of data says. “In most companies there are too many people with too much access to data, for example. This is an opportunity for retailers to fix the problem.” Likewise Steve Rowen and Brian Kilcourse, principals of Retail Systems Research, insist that data security is a fluid problem. “Compliance takes more than technology,” Rowen says. “It takes internal alignment and it takes education. The goal of PCI is not solely to achieve compliance and go home; it’s about developing comprehensive processes for the logical treatment of data.” Kilcourse insists that the greatest problem facing retailers is that PCI DSS says what compliance is, “but not how to be compliant. It’s turning out to be a much larger project than most retail CIOs imagined, and it’s not at all clear that following the PCI checklist insulates retailers against future breaches. “Just as cyberthieves aren’t going to be content with their current toolbox of hacks, retailers and other businesses need to develop processes that can continuously monitor the technology environment, even as conditions change,” he says. “PCI DSS is the first battle, not the endgame.” Journey without a roadmap etail CIOs say that’s part of the reason why they’re frustrated by deadlines and complexity. “There’s no question that good can come out of this process,” says a Texas-based retail CIO who requested anonymity. “PCI forces you to think differently about securing data and who should have access to data. The problem is that it’s a journey without a road map — and you have to get there by a certain time or you’ll be fined.” A California-based CIO shared her story. “I’ve got legacy systems, vendor partners who can’t seem to agree on how to fix problems in my software applications and employees who complain every time I take another step toward locking down data that they previously had access to and putting more controls in place around key management. . . . It’s as if you push the balloon here and it pops out on the other side,” she says. Gaggion recalls the hurdles the RBA team faced on the road to compliance. “The most significant challenge proved to be learning what the PCI requirements were and how they related to our systems,” he says. “Doing the work, while time consuming, was not as challenging as figuring out what needed to be done.” Gaggion offers advice to those still trying to achieve compliance. “If you cut corners or costs, you’ll be spending more money in the long run. PCI requirements protect your data and R R 32 STORES / OCTOBER 2007 WWW.STORES.ORG http://WWW.STORES.ORG
For optimal viewing of this digital publication, please enable JavaScript and then refresh the page. If you would like to try to load the digital publication without using Flash Player detection, please click here.