PCI Compliance: Who’s Re-Minding The Store?

Written by Evan Schuman
June 26th, 2008

Guest Columnist David Taylor is the Founder of the PCI Knowledge Base, Research Director of the PCI Alliance and a former E-Commerce and Security analyst with Gartner.

Internal audit is not staffed to enforce PCI at the store level. Except for about a dozen leading retailers, most retailers do not have enough IT-skilled internal auditors to meet the requirement for a "continuous" review of store-level IT security.

Since almost no one can afford to add another group of people with both auditing skills and IT skills, nor can most retailers afford to pay consulting firms to do this, I tend to recommend very specific PCI audit training courses for your internal audit staff. One way to do this is to send them to the same two day course that PCI auditors go through.

Another, less expensive, approach is to send one person to such a course and then do your own internal PCI audit training course. The other advantage of this is that you will be able to gradually broaden your base of "security aware" persons. That’s one of the techniques I have seen leading merchants use to successfully build a "culture of security" that extends to the stores.

Was talking with two senior executives recently, and they talked about a "culture of security." They argued articulately that if upper management signals to the organization they care about protecting customer information, then they can use it to differentiate their company in the marketplace. While I agree, I tend to find that this works well at corporate but the message doesn’t seem to make it to the stores.

As we’ve seen with the PCI Knowledge Base, which we’re doing with the National Retail Federation, this is a key issue. When I ask about store-level security and compliance, I find there is universal agreement that there are far more vulnerabilities at the store level and far less review of those vulnerabilities, either by internal staff or by PCI assessors.

Most retailers need to define an incentive program to enforce policies. About two months ago in this column, I wrote about the importance of "deputizing" store managers to watch for security breaches. Since then, it’s become clear that in order to change the culture, retailers have to provide incentives to these "deputies" in order to actually impact key metrics such as shrinkage, fraud and chargeback rates.

The other important technique is to link the PCI compliance initiative to these same security metrics. For example, a PCI project manager who wants to "embed" PCI compliance into the corporate culture would be well advised to spend about 20 hours, spread over several weeks, to create a presentation for management that shows how PCI compliance can not only reduce risk but also impact key financial metrics such as fraud and chargeback rates.

Three PCI managers who also own fraud management and report into the CFO, have said that linking PCI compliance to financial performance is a great way to get executive attention and budget. And since all these metrics are key to individual store performance, this is one of the ways to gain the support of store management for PCI compliance—circling back to the whole "deputize" argument.

Get rid of confidential data, permanently. The goal is to remove all credit card and other confidential data from the stores, rather than to advocate a particular card processing schema. Even as you work to build a culture of security and proliferate it to the stores, you will probably need to do more than segment your networks to reduce your liability long term.

Leading retailers as well as educators need to shift their focus from data protection to data elimination. In some cases, retailers are simply not collecting the data in the first place. But it’s more common to hear leading retailers talk about replacing card data at the POS with surrogate data or hashes or partial masking, so that the full numbers cannot be retrieved.

These techniques will (according to most PCI assessors) greatly reduce the assessment scope, as well as the risk. Outsourcing payment processing will also do this, but you’re shifting the risk rather than eliminating it.

Re-engineering card number-dependent applications and processes takes time. But the leading retailers like to point out that they’ve known about this problem for at least 4 to 5 years. They say what sets them apart from others is that they began working to permanently eliminate the data (and the associated risk) back in 2004 and 2005, while other retailers postponed addressing the problem until faced with fines from their acquiring bank.

For retailers just now getting PCI compliant at corporate, you want to work to involve the stores ASAP via an online, intranet training program, and using some of the other techniques described above.

If you’re a retailer, we want to get you involved in the best practices study we’re doing for the National Retail Federation. If you’d like to participate, send me an E-mail at


2 Comments | Read PCI Compliance: Who’s Re-Minding The Store?

  1. A reader Says:


    The very idea that this suggestion can be made with a straight face shows just how far removed from reality the Payment Card Industry really is.

    They expect staffed by minimum wage cashiers and I’m-the-manager-because-I’ve-got-my-driver’s-license supervisors to study PCI DSS? Stores that are on the brink of financial collapse should spend their remaining money on training, instead of paying the rent on time? I’m not sure whether I should be more amused than outraged, but I think I have room for both.

    The PCI has to bite the bullet here. They need to fundamentally change how credit is done, not demand that a leaky pipe patch itself. The job of protecting transactions has to be moved to the hands of the issuers, and removed entirely from the retail chain. Only then will they have a system where fraud can be controlled, and customers protected.

  2. david taylor Says:

    The thrust of my column came not from the PCI standards but from interviews I conducted with retail CIOs, CISOs and PCI project managers. To quote one senior executive at a Level 1 retailer, which has been PCI compliant for 3 years: “Despite the wording of the PCI standards, the technologies of security are secondary. You can have the latest security technologies and still have security breaches, unless upper management creates a culture of security awareness, and works to get employees (management, corporate and store employees) to genuinely care about security. You have to make it something that people look forward to, and feel proud of. Then it becomes part of your culture.”


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.