Evan Schuman's StorefrontBacktalk

One of the fundamental challenges of PCI compliance is that the rules assume the CIO knows where all of the company’s data is. In today’s typical retail enterprise, though, this can be a remarkably flawed assumption.

This is not to say that most executives don’t know where their data starts and where it’s sent. But as data routes its way through off-site backup, into employees’ laptops and USB flash drives, is shared with key customers and partners over an extranet and even spoken in a call center, that data can end up in quite a few unexpected places.

One of the data residences that often gets ignored by IT executives is off-site storage, said Terri Quinn-Andry, the executive at Cisco who is most directly involved in the vendor’s various PCI efforts.

Quinn-Andry said that she will often ask IT executives if they know how their data is being treated during off-site backup, and they invariably say they do. She’ll then ask them how their off-site backup firm handles that data if the LAN crashes.

Her follow-up question: What then occurs to your data when your network comes back up? "Is the data gotten rid of completely when it comes back up? Or do they just send you a copy? Do they store it only in their data center or do they store it in laptops?"

Most senior execs don’t know the answers to those questions, which is not surprising, given that they rarely know the answers when it comes to their own employees’ actions with regard to data. For example, what data is being taken home at night in laptops or thumb drives? By whom? Do you know if it’s being copied to a home computer? If so, is that home computer used by other family members? If so, do any of those family members visit music-downloading sites or other places where data thieves tend to lurk?

Some in the industry have joked that file sharing via Ethernet may soon be trumped by file-sharing via corporate laptops stolen from cars.

"You need to know where your data is at all times, in rest and in motion," Quinn-Andry said. "The large majority [of executives] don’t know where that data is or where it goes."

This data-tracking problem is not unsolvable, but it can’t be addressed until executives start realizing how little they know about their own data.

"The first step in protecting data is figuring out where it is. And today, they simply do not know all of those places," said David Taylor, a former security analyst with Gartner who today runs the PCI Knowledge Base. "Users know the repositories. What they don’t know is what individuals have done to that information after it’s been received."

A handful of the largest retailers today do track such information, Taylor said, using comprehensive data flow diagrams that "include the flows, the temp files, the repositories, and the types of security—such as access controls, encryption and logging—provided to the data at each point."

But most are not so rigorous, and that can waste a lot of money. "Without such diagrams and process analysis, it is very easy for a merchant to spend a lot of money segmenting networks, implementing access controls for credit card data, only to have to completely re-do the process to protect Social Security numbers and other types of personally identifiable information."

Sometimes, the data leaks can be accidental and not even necessarily something that IT departments would even consider their jurisdiction.

Take, for example, call centers. Although officially discouraged, it’s typical for call center employees to repeat credit card and other sensitive information back to customers for verification. Such information can now be heard by other people in that office, including some who might be tempted to jot it down and try and sell it. The data would have been accessed from a call they hadn’t even taken.

Let’s take that call center scenario one step further. Most customers talking with a call center rep can overhear what that rep’s cubicle neighbors are saying. What if those reps are using voice-over-IP systems at the time? All of those conversations can now easily be converted into data and stored.

Quinn-Andry said her company, Cisco, tries to factor many of these issues into some of its security suites–preventing employees, for example, from copying sensitive data into Word files and even suggesting cubicle distance to reduce data being overheard.

Cisco is soon going to start its PCI push beyond retail and into the healthcare sector. But the world of hospitals, doctors’ offices and laboratories has some key differences with a retail chain. Hospitals, for example, are more resistant to wireless communications because of the potential interference with medical testing devices.

Medical facilities also have other data handling rules to contend with, such as 1996’s Health Insurance Portability and Accounting Act (HIPAA). Taylor notes that HIPAA has just recently started to try and get tough about enforcing its own data regulations.

"HIPAA’s been around for 12 years and the first HIPAA audit that resulted in a fine just happened," Taylor said, referring to a July 16 fine for $100,000 assessed to the Providence Health & Services company in Seattle. "This is the start of them getting serious about enforcing the security of personal health data. Hospitals and others are sitting up and taking notice."

Although medical facilities do tend to take privacy issues more seriously than the typical retailer, the ROI challenge is similar. The only CIO-to-CFO argument to spend more money on security isn’t rooted in profit and revenue. It’s based almost exclusively on risk-avoidance. For both retailers and healthcare, the risk is legal as well as the potential for losing customers.

But the loss of private information without immediate and significant financial impact can be a difficult case for a consumer to win in court.

As for the loss of customers following a well-publicized major breach, the experiences of TJX and Hannaford—which both had massive breaches and bad publicity, with neither enduring revenue loss—suggest that hospitals have little to worry about.

After all, if a massive breach won’t get consumers to make the effortless change of shopping at BestBuy versus Circuit City, what are the chances it will make them change doctors or hospitals?