PCI Is a Bust, Retailers Need a New Roadmap to Security

In light of recent breeches, the industry is moving credit card security to the top of its priority list. Last week's leading story, RIS Hotline, "PCI May Never Stop Hackers: Time to Rethink Security" drew a huge response regarding the incomplete role that PCI compliance plays.

Dave Hogan of the NRF said last week the PCI compliance was not the answer for retailers seeking a solution to stopping determined criminals. The response to Hogan's recommendation that security standards need a fresh approach came in from many industry experts who largely agreed that retailers must look beyond PCI compliance.

"The only way to be safe is to never be secure. PCI has an obligation to not only minimize the risk of credit card fraud today but to recognize that we must continue to challenge the process. Retailers may need to replace / upgrade out-of-date software or magnetic card readers. Some credit card companies and banks may also need to maintain retailer-specific encryption keys so that unencrypted data is never stored or transmitted.  This approach might also help us not lose sight of the fact that the real victim is the consumer, whose credit history is affected, who is inconvenienced by the need to replace credit cards and who eventually pays the cost of credit card fraud through higher interest rates and fees." -Bud Wagner, CSC Consulting Group

"The complexity of multiple channels and new wireless options requires that retailers continually evolve their own security protocols. Many Tier One retailers typically develop security protocols in addition to what is provided by the vendor. PCI compliance is just the beginning for retailers. There is an opportunity to look at how/if this information should be stored. Does a customer transaction really need to be stored for one year?  Is there an opportunity to change how long we store data and how long the consumer has to question a given transaction? There are other areas where consumer information is stored – this includes CRM and WFM tools (that store employee information)." -Sunita Gupta, Executive Vice President, LakeWest Group, LLC

"PCI is a good start. But it is way too narrow and self-serving a view that was developed by the card companies with very little retailer input.  This was mandated from the card companies-and is weighted for their benefit. There are some components of the process that are unnecessary but take time away from doing critical things.  The fact that retailers were not part of the PCI process means that PCI is nearsighted in terms of compliance equaling secure. Retailers have hundreds of different hardware and software systems that are combined in some manner.  Every system and every person who interacts with these systems is a potential security hole.  PCI typically only addresses cardholder data, not all the other sensitive customer and non-customer data in the enterprise." -Greg Buzek, President, IHL Consulting

"PCI compliance, due to its very nature, is not going to provide adequate protection against a well-funded and committed professional adversary who can design specific malware to circumvent these basic security controls. There have been calls to jettison PCI.  The premise in these statements, according to David Hogan from NRF, is that if the card companies would simply take responsibility for the storage and security of credit card numbers from the moment of card-swiping forward, there would be no need for retailers to comply with some key aspects of PCI. This position, while seemingly attractive at the surface from a security perspective, is untenable in a multi-trillion dollar consumer facing industry. The process requires a greater focus on operational security efficacy.  PCI was only good in the sense that it jolted retailers to focus on 'Security 101" but it is not the end – simply a catalyst.  Retailers now must take matters in their own hands and move beyond PCI to recognize that today's threat environment requires a deeper degree of security monitoring and situational awareness, especially at the application layer." -Eddie Schwartz, Chief Security Officer, NetWitness Corporation 

For more information see: NRF Needs to Rally Retailers Around Cyber Security

-Christina Zarrello