Wednesday, November 14, 2007

PCI compliance – are you just checking the box?

I will be presenting at the RSR conference this week, and this has me thinking more deeply about challenges that retailers are facing in complying with the Payment Card Industry (PCI) standards. I speak with many retailers in my role – BitArmor helps them secure and manage cardholder data in their environments. One of the challenges that retail CISO’s face is selling senior management on the funding of PCI initiatives. Often, senior management would rather invest in opening a new store than in purchasing an encryption solution to secure their existing infrastructure. For them, PCI is viewed as a necessary evil: many retailers are simply trying to check the compliance box instead of embracing the business benefits that PCI compliance can bring.

Is there value beyond just checking the box?


PCI compliance efforts deliver significant value beyond the immediate data protection benefits. As part of becoming compliant, many retailers are being forced to rethink their systems, data paths, security models, networks, and policies. Fully addressing PCI requires solving these hard process problems, and this is an opportunity to build a strong operational base (making you competitive and agile) for the future of the company. As a result, working towards PCI compliance can increase both revenue and profit.

I see PCI (and so do many retail technologists) as today’s Y2K for retailers. Over the past 10 years, many companies have benefited from their efforts to address the Y2K bug. Y2K catalyzed massive investment in IT infrastructure that improved corporate processes and facilitated more efficient relationships with customers. The similarities between Y2K and PCI initiatives are striking. I believe the benefits will prove to be similar as well.

IT funding exists within many retailers to address PCI challenges. Retailers that take PCI compliance seriously and implement deep operational changes will reap many benefits. Those who view it as an exercise to pass an audit are missing a huge opportunity.

No comments: