PCI: It’s Not Just For Payment Anymore

Written by Evan Schuman
February 14th, 2008

As retail CFOs begrudgingly approve extensive dollars to help with PCI accreditation efforts—even though many IT departments are using those dollars for projects that primarily have little to do with security—many are discovering that a program designed to protect payment data will also do a fine job at protecting almost any other kind of data.

With CRM systems trying to interact with Web analytics, mobile databases, purchase and returns histories and tons of other non-payment databases, the amount of non-credit-card data that is at risk easily dwarfs Visa transactions.

The same common sense guidelines that are the soul of PCI—dealing with wireless, encryption, knowing what you’re retaining and retaining only what you need—can be widely extended. But the same checklist mentality that is PCI’s weakness also pigeonholes PCI into only being used for payment, which is silly.

As much as the amount of data collected by retailers has soared in the last 15 years—coinciding with the emergence of the Web, which made retailers discover the much older Internet—that’s a footnote compared with the data expansion likely to visit merchants in the next three years.

Why? Merged channel, mostly. As retailers mature beyond multi-channel into cross-channel and then into the final phase of merged channel, two things are going to have to happen.

First, every one of those channels will have to clean up its digital records-keeping act. For example, call center personnel will need to take extensive notes about every conversation and save it into the system, so that it can later be access by their in-store and online counterparts, let alone other call center people. In-store associates will have to get used to entering notes into a database every in-person customer interaction, too.

Secondly, those files will have to be made homogenous and then the floodgates will open for data-sharing. From the IT perspective, that is going to increase customer-specific data by an order of magnitude.

This data will be highly desired by cyber thieves and merchant rivals (there’s a difference?). Conveniently, the same rules within PCI will protect everything else. But to make it work, it’s essential to put those systems and rules into place now, before the next tidal wave of data.

It will be hard enough keeping up with that new data without having to also learn new privacy data-protection rules. Checklist security is far from ideal, but as an organizational guideline for merchants about to enter a very disruptive data period, it’s actually not a bad start.


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.