The Price for Peace of Mind

Standards make the world go round more smoothly. Whether it's ISO 9000 certification in global terms or the emerging PCI (payment card industry) Compliance standards in the retail sector, standardized practices enable companies to conduct business uniformly across large markets. That's much more efficient than having to twist and turn to meet different regulatory wrinkles in various jurisdictions.

 

But meeting such lofty standards is rarely a slam dunk. Since its introduction in December 2005, PCI compliance is steaming ahead slowly among major retailers. At the end of 2006, only 36 percent of Class I retailers -- those with more than six million annual transactions -- had complied or were in the process of doing so.

 

Such reluctance has many roots. "For large and medium-sized retailers," says Avivah Litan, vice-president, Gartner Group in Stamford, Connecticut, "to become PCI compliant is a complex undertaking. They have huge legacy IT infrastructures, different IT systems, various existing business practices and thousands of players spread over a large number of locations." Often these functions are managed locally rather than centrally.

 

"There also is short-sightedness in the boardroom," says Litan. "Retailers have many different demands for their cash. And PCI compliance is not getting its share of the budget since it is not considered a high business priority."

 

Achieving PCI compliance, like all business decisions, involves trade offs. Spending money to beef up security -- in this case protecting consumer financial data -- may not deliver any short-term financial or operational benefits, however, such investments protect retailers' reputations enabling them to stay in business by reassuring consumers that credit card purchases will not lead to identity theft and personal financial losses.

 

"A single national payment standard makes life a bit simpler for us," says a senior executive with a national retailer, speaking under a condition of anonymity (due to the sensitive nature of corporate security). "But as a large national retailer, we make sure we can comply with the strictest standard so that we comply with all of them." The senior executive explains further: "The PCI standard is based on a commonsense approach to security such as eliminating the unnecessary storage of consumer information. But it is not as challenging as Sarbanes- Oxley (SOX)."

 

Card issuers are serious. On April 1, 2007, MasterCard and Visa began fining Level 1 merchants that have not submitted a report on compliance (ROC) and those that have not made substantial progress on their existing ROCs.

 

If that is not enough incentive, in response to the TJX incident, Massachusetts lawmakers are now considering a bill requiring retailers to pay for losses when hackers and thieves break into their security system and steal consumers' credit card and other financial data.

 

WHY PCI COMPLIANCE
"PCI compliance is 100 percent about risk mitigation," he says. "There is no strong business case for becoming PCI compliant. It does not make transactions proceed faster. In fact, it can slow them down."

 

"It is expensive and a cost center, not a profit center, since employees do not become more productive," he says. "Nor does it help to boost gross margins. Operationally, the only immediate benefit I can think of is gaining experience in rolling it out in one area so it becomes easier when you do it in another part of the company or the country."

 

Why then the need for PCI compliance? "No retailer wants to find its name on the front pages of the newspaper the way TJX did," he says.

 

PCI compliance is complicated as it affects more than credit card transactions. "It becomes a pervasive security exercise," the retailer says, "that involves protecting the IT system mobile and wireless devices against other types of intrusions with firewalls and other means. We also have to keep out malicious software that creates mischief inside our firewalls as well as control employee and other access to the system."

 

In many ways, the implementation follows the mantra of ISO 9000 certification -- learn what you have to do, implement it properly and prove what you have done.

 

USE IN-HOUSE RESOURCES
"We were able to upgrade the technological aspects of PCI compliance with our own IT staff and resources," he says. "We only brought in outside help when our own people had scheduling conflicts. We did not need to replace much software since most of it, such as log management applications, was already there. To succeed, the project had to bring in the HR department to communicate to all employees their responsibilities in protecting consumer data."

 

The retailer also saved time and resources by leveraging other existing IT resources. "A major project was strengthening our encryption algorithms," he says. "We were already deploying the required level of encryption in California, so we simply had to roll it out in all the other states where we did business."

 

However, the senior executive does see a possible flaw in the system. "Without any scientific surveys to back me up," he says, "I believe that some assessors [officially called qualified data security companies (QDSCs)] are not as strict as others. They come in gold, silver and bronze levels. Retailers need to choose their assessors carefully to ensure that they get it done properly the first time."

 

Is 100 percent PCI compliance among Level I retailers achievable? "Yes, it is," he says. "It's the price of conducting business with credit cards."

 

"It's strange," he adds, "but the larger you are, the more you need to become compliant. But the larger you are the more expensive and difficult it is to become compliant. My advice to retailers is to just go out and do it."

 

Peace of mind is priceless.