Evan Schuman's StorefrontBacktalk

A 403 Labs QSA, PCI Columnist Walt Conway has worked in payments and technology for more than 30 years, 10 of them with Visa.

Two recent surveys of how merchants approach PCI compliance—one by Cisco Security Solutions; the other a joint survey by the National Retail Federation and First Data—provide insights into merchant attitudes, priorities and challenges. Although there were several differences between the surveys, what I find interesting is that when you reflect on the findings, a common theme emerges: The critical role of educating merchant staff on proper handling of payment card data.

The Cisco survey was comprehensive, with over 500 responses from IT executives across a wide range of vertical industries. Respondents included large Level 1 merchants and smaller, Level 2 and 3 merchants.

The survey has a lot of good news. Respondents were familiar with PCI requirements, and 70 percent said their organizations were more secure because of PCI compliance than they would have been otherwise. This result appears to be quite an endorsement of PCI, even though some respondents felt the requirements were “burdensome.” My response to the burdensome reference is that nobody ever said security was easy, just that it was smart.

Although the Cisco survey addressed several very interesting areas (e.g., how much money respondents’ companies spent on PCI over the past five years, spending plans for 2011, etc.), I was struck by the responses to Question 33: What problems are you experiencing with regard to PCI compliance; check all that apply.

The top vote getter was not any perceived vagueness or “lack of clarity” in the PCI requirements (mentioned by 22 percent), lack of staff resources (28 percent), needing to change entrenched business practices (29 percent) or even the second most-mentioned option of upgrading “antiquated systems” to make them compliant (32 percent). Rather, the number-one challenge was educating employees on the proper handling of cardholder data, selected by a whopping 43 percent of respondents.

That a group of 500 IT executives responsible for PCI compliance rated educating their internal staff on how to handle sensitive cardholder data as their biggest PCI challenge is interesting. It signals a PCI disconnect within merchants. At one level, this result tells me that IT executives believe they can handle the technical requirements of PCI, but they are worried about what their internal users are doing. At another level, it says merchants still view PCI as an IT issue and not a business issue. Most interestingly, though, it says that perhaps the cheapest tool you have (i.e., education) may be the one with the biggest impact on your organization’s security and PCI compliance.

My take is that by “education,” the IT executives surveyed did not mean three-day, intensive PCI training courses. Rather, I believe they meant training for anyone who comes in contact with cardholder data, including sales staff, store managers and marketing analysts, on what they can and cannot do with that data. You can encrypt and protect your data as much as you want. But once users gain access to the unencrypted data, you have lost control.

Training reinforces your data protection policies, like not sending primary account number (PAN) data in an E-mail, not loading cardholder data on a flash drive so you can work on it at home, and not keeping spreadsheets or scans containing cardholder data on a laptop. I have seen each of these practices, by the way, and I know what these IT executives know: You have users who think keeping PAN data in a spreadsheet on their laptop is not retaining electronic cardholder data; it’s just them being productive.