NRF + PCI = CIO Job Security

Written by Walter Conway
January 14th, 2010

For retail CIOs, this is the worst of times and it is the best of times. It may be the worst of times because the emergence of smartphones at the POS, the increase in the amount and availability of customer data, and the growing tokenization and end-to-end (E2E) encryption options may have CIOs (and their QSAs) reaching for the aspirin bottle. On the other hand, it may be the best of times because the CIOs who can address these challenges will be rock stars in their companies.

At the National Retail Federation (NRF) show this week, several vendors were pitching payment card readers (and other peripherals) that could attach to a smartphone, thereby converting it into a POS device. Some of the readers are already PCI PTS approved. With one of these and a Blackberry, merchants can move the POS from a fixed counter to anyplace inside–or even outside–their stores. And the best part is that merchants can have this wireless capability for a price far less than current wireless POS devices offered by most manufacturers. I can think of several merchants I work with that will be looking at these devices very seriously.

But the PCI implications are complicated. An audience question at the 2008 PCI Annual Meeting probed whether iPhones and Blackberry devices would be in scope for PCI. The response from the Council staff (and many others in the audience) was that this question was a pretty far out, because nobody could figure out how or why these devices would ever be in scope. Everyone was thinking only about using smartphones to access stored cardholder data–not to generate the data.

The present DSS can address these hybrid devices (e.g., secure communication, encryption), but, as a QSA, I might have additional concerns. The smartphones will, presumably, be used for other purposes. We already have examples of viruses and other malware successfully targeting smartphones. Simply protecting the card reader and PIN pad attachments may not be enough to ensure the bad guys don’t compromise the smartphone itself, which would lead to a data compromise. I’m sure the vendors have answers for merchants and their QSAs, but I just haven’t yet heard them.

While in New York, I heard a lot of CIOs talk about balancing the pressure to open systems and databases to more internal users with the need to protect the data. This balancing act will get more interesting as the volume of customer data expands. Note: In the security world, “interesting” is not a nice thing.

One CIO said that “95 percent of our customers are known to us,” which told me there could be a whole lot of personally identifiable information (PII) floating around in companies’ databases.

The issue of PII and data protection is old hat. Nearly every state now has some kind of data breach notification law. I hope CIOs are looking at PCI as a way of protecting all kinds of PII and not just cardholder data. I have to believe thoughtful CIOs are doing this, and that they are having their QSA take a look at and/or train some of their staff on how the DSS can be more broadly applied. You are already doing the work for your cardholder data. It has to make sense to use the same tools for all of your other PII, too.

Unfortunately, applying PCI to the broader collection of PII sets the stage for another dilemma.


One Comment | Read NRF + PCI = CIO Job Security

  1. Mark Bower Says:

    A nice summary. NRF was certainly buzzing around true End-to-end encryption and tokenization. We’re not taking point to point. End-to-End is from swipe to acquirer, and/or swipe to PAN dependent merchant system – something only possible with new approaches I’ve mentioned here in the past.

    What was interesting to me was seeing the contrast in the efforts of various approaches being tried. Some merchants we met for the first time had been struggling for 2 years already or more trying to achieve this and still stuck in pilot with older style tokenization and legacy encryption which struggles when it comes to the change impact in legacy hardware/software and when taking into account critical back office functions like velocity checking and fraud investigations, e-discovery etc. When I described how we’d already taken Tier 1’s through this to PCI compliance in a fraction of that time with Format Preserving Encryption there was a lot of excitement – these new approaches avoid exactly the change impact they were struggling with in integrating encryption and tokenization into the complex merchant legacy environment and processes.

    Another highlight for me was how many merchants really do see the need to go well beyond PCI DSS which as you note is falling behind the fast path merchants are heading in new areas like mobility – what a hot topic at NRF! Merchants not only want to explore new payments acceptance like mobile, but want to also cover employee data, partner communications, and other privacy regulated data in a single swoop. Of course, our conversations drift to those areas as we solve those challenges too with our overall data protection platform – but it was striking nonetheless. The concern being what’s the point of investing several million in PCI compliance and focus just on credit card data and and leaving equally sensitive data at risk – SSN’s, Tax Data, competitive strategy information, HR data on vast numbers of past and present employees in a very high staff turnover business.

    So from uplifting show at NRF I see 2010 being one of not only E2E and Tokenization in the payments side, but solving the big picture – sensitive data organization wide. That’s where the real ROI will be for merchants in data protection investments. No point being the front page breach news if your systems are compromised and all your employee data is exposed – its the same reputation and brand damage impact.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.