NRF + PCI = CIO Job Security
Written by Walter ConwayFor retail CIOs, this is the worst of times and it is the best of times. It may be the worst of times because the emergence of smartphones at the POS, the increase in the amount and availability of customer data, and the growing tokenization and end-to-end (E2E) encryption options may have CIOs (and their QSAs) reaching for the aspirin bottle. On the other hand, it may be the best of times because the CIOs who can address these challenges will be rock stars in their companies.
At the National Retail Federation (NRF) show this week, several vendors were pitching payment card readers (and other peripherals) that could attach to a smartphone, thereby converting it into a POS device. Some of the readers are already PCI PTS approved. With one of these and a Blackberry, merchants can move the POS from a fixed counter to anyplace inside–or even outside–their stores. And the best part is that merchants can have this wireless capability for a price far less than current wireless POS devices offered by most manufacturers. I can think of several merchants I work with that will be looking at these devices very seriously.
But the PCI implications are complicated. An audience question at the 2008 PCI Annual Meeting probed whether iPhones and Blackberry devices would be in scope for PCI. The response from the Council staff (and many others in the audience) was that this question was a pretty far out, because nobody could figure out how or why these devices would ever be in scope. Everyone was thinking only about using smartphones to access stored cardholder data–not to generate the data.
The present DSS can address these hybrid devices (e.g., secure communication, encryption), but, as a QSA, I might have additional concerns. The smartphones will, presumably, be used for other purposes. We already have examples of viruses and other malware successfully targeting smartphones. Simply protecting the card reader and PIN pad attachments may not be enough to ensure the bad guys don’t compromise the smartphone itself, which would lead to a data compromise. I’m sure the vendors have answers for merchants and their QSAs, but I just haven’t yet heard them.
While in New York, I heard a lot of CIOs talk about balancing the pressure to open systems and databases to more internal users with the need to protect the data. This balancing act will get more interesting as the volume of customer data expands. Note: In the security world, “interesting” is not a nice thing.
One CIO said that “95 percent of our customers are known to us,” which told me there could be a whole lot of personally identifiable information (PII) floating around in companies’ databases.
The issue of PII and data protection is old hat. Nearly every state now has some kind of data breach notification law. I hope CIOs are looking at PCI as a way of protecting all kinds of PII and not just cardholder data. I have to believe thoughtful CIOs are doing this, and that they are having their QSA take a look at and/or train some of their staff on how the DSS can be more broadly applied. You are already doing the work for your cardholder data. It has to make sense to use the same tools for all of your other PII, too.
Unfortunately, applying PCI to the broader collection of PII sets the stage for another dilemma.
-Marc
January 15th, 2010 at 3:58 pm
A nice summary. NRF was certainly buzzing around true End-to-end encryption and tokenization. We’re not taking point to point. End-to-End is from swipe to acquirer, and/or swipe to PAN dependent merchant system – something only possible with new approaches I’ve mentioned here in the past.
What was interesting to me was seeing the contrast in the efforts of various approaches being tried. Some merchants we met for the first time had been struggling for 2 years already or more trying to achieve this and still stuck in pilot with older style tokenization and legacy encryption which struggles when it comes to the change impact in legacy hardware/software and when taking into account critical back office functions like velocity checking and fraud investigations, e-discovery etc. When I described how we’d already taken Tier 1’s through this to PCI compliance in a fraction of that time with Format Preserving Encryption there was a lot of excitement – these new approaches avoid exactly the change impact they were struggling with in integrating encryption and tokenization into the complex merchant legacy environment and processes.
Another highlight for me was how many merchants really do see the need to go well beyond PCI DSS which as you note is falling behind the fast path merchants are heading in new areas like mobility – what a hot topic at NRF! Merchants not only want to explore new payments acceptance like mobile, but want to also cover employee data, partner communications, and other privacy regulated data in a single swoop. Of course, our conversations drift to those areas as we solve those challenges too with our overall data protection platform – but it was striking nonetheless. The concern being what’s the point of investing several million in PCI compliance and focus just on credit card data and and leaving equally sensitive data at risk – SSN’s, Tax Data, competitive strategy information, HR data on vast numbers of past and present employees in a very high staff turnover business.
So from uplifting show at NRF I see 2010 being one of not only E2E and Tokenization in the payments side, but solving the big picture – sensitive data organization wide. That’s where the real ROI will be for merchants in data protection investments. No point being the front page breach news if your systems are compromised and all your employee data is exposed – its the same reputation and brand damage impact.