Thursday, December 6, 2007

Got PCI? Another aspect of data security and PCI, I did not know

Brian Kilcourse, managing partner from RSR Research shared some interesting research data with us at the recent conference. Turns out the best-in-class retailers are lagging behind in PCI compliance. Hmmm… we agree that this does not make sense, and there were many conjectures as to why this is the case. A few of the reasons put forth - they know how difficult the process is and are taking their time; they don’t care about fines (the fines don’t make a dent), it is too complex for the leaders etc.

My theory is this – retailers who are best in class, have to be operationally best-in-class as well. They must have the best logistics, high-end analysis capabilities for a streamlined operation that lowers their costs (retail is a thin-margin game). As part of this, they already have built up best practices on how to handle data well and dont see PCI as providing immediate benefits.

I suspect they all have looked at their environments from a PCI perspective. Some have concluded they meet many of the requirements and thus are not under imminent risk. Others may have decided they need to do some fundamental improvements and need the time to design and plan.

The common thread is this – these organizations are disciplined and don’t look at PCI just as a check-box. This approach is definitely the better one – make sure you have the right processes instead of just checks in the right PCI boxes.

1 comment:

Bryan Johnson said...

Manu - we work with merchants to help them achieve PCI Compliance and we've found what your suggesting - wanting to take a methodical approach and make sure it's done right. Some larger merchants with old systems face some real challenges in meeting the requirements.