This is page 2 of:
NRF + PCI = CIO Job Security
More people will want and need access to all kinds of customer data. Yet a principle of PCI is limiting access to who can see the data and how much they can see. What’s a CIO to do?
My guess is that each company will make tradeoffs based on business requirements. The one thing that is beyond discussion, in this QSA’s opinion, is that the CIO owns the data. The reason I say that is because in response to a question about who owns the data, I heard someone say “Everyone owns it.”
Unfortunately, the reality is that when everyone owns something, no one owns it (If you don’t believe me, walk into a public lavatory some time). Everyone may have an interest in the data, but reality dictates that there is only one owner and that owner is the CIO.
On the NRF expo floor, I asked several software and hardware vendors plus bank acquirers and card processors what were they hearing from the other attendees (versus what they were pitching). I was pleasantly surprised when they said people were asking about PCI and how the vendor’s product could help the merchant get compliant. “You hear PCI everywhere,” one said.
Both tokenization and E2E encryption technologies were well represented at the NRF conference. At a retail CIO workshop before the NRF (where I participated in a panel discussion), two-thirds of the attendees said they were exploring not one approach but both tokenization and E2E technologies to help with PCI compliance. The number who said they were solely doing tokenization was—not surprisingly—zero.
Another sign that the technologies are maturing is that I didn’t hear any vendors on the expo floor overpromising. Every single one that I heard from emphasized that it could only reduce–often dramatically–a merchant’s PCI scope; not one vendor promised a silver bullet.
I am a fan of both tokenization and E2E encryption, but only when properly implemented. Each has advantages. There seems to be two general approaches to tokenization: generate a unique token for each transaction or generate an identical token if the same card is used again.
Although either can do the job, it seems the latter approach may lend itself more easily to replacing cardholder data (e.g., PANs) in velocity checking and CRM systems and, ultimately, to removing those systems from PCI scope. Because the goal is to minimize PCI scope, this latter approach may be the easier path to taking more systems out of scope if you are looking at tokenization.
I’d like to hear what you think. Were you at the NRF expo? What did you hear about PCI? Are you looking at tokenization and E2E encryption? If you had to skip the “Big Show” this year, what did you miss? Do you plan to be the database rock star of your company? Leave a comment or E-mail me at wconway@403labs.com. I want to hear from you. And special thanks to all of you who have left comments or sent me E-mails.
January 15th, 2010 at 3:58 pm
A nice summary. NRF was certainly buzzing around true End-to-end encryption and tokenization. We’re not taking point to point. End-to-End is from swipe to acquirer, and/or swipe to PAN dependent merchant system – something only possible with new approaches I’ve mentioned here in the past.
What was interesting to me was seeing the contrast in the efforts of various approaches being tried. Some merchants we met for the first time had been struggling for 2 years already or more trying to achieve this and still stuck in pilot with older style tokenization and legacy encryption which struggles when it comes to the change impact in legacy hardware/software and when taking into account critical back office functions like velocity checking and fraud investigations, e-discovery etc. When I described how we’d already taken Tier 1’s through this to PCI compliance in a fraction of that time with Format Preserving Encryption there was a lot of excitement – these new approaches avoid exactly the change impact they were struggling with in integrating encryption and tokenization into the complex merchant legacy environment and processes.
Another highlight for me was how many merchants really do see the need to go well beyond PCI DSS which as you note is falling behind the fast path merchants are heading in new areas like mobility – what a hot topic at NRF! Merchants not only want to explore new payments acceptance like mobile, but want to also cover employee data, partner communications, and other privacy regulated data in a single swoop. Of course, our conversations drift to those areas as we solve those challenges too with our overall data protection platform – but it was striking nonetheless. The concern being what’s the point of investing several million in PCI compliance and focus just on credit card data and and leaving equally sensitive data at risk – SSN’s, Tax Data, competitive strategy information, HR data on vast numbers of past and present employees in a very high staff turnover business.
So from uplifting show at NRF I see 2010 being one of not only E2E and Tokenization in the payments side, but solving the big picture – sensitive data organization wide. That’s where the real ROI will be for merchants in data protection investments. No point being the front page breach news if your systems are compromised and all your employee data is exposed – its the same reputation and brand damage impact.