StorefrontBacktalk

NRF + PCI = CIO Job Security

Written by Walter Conway

January 14th, 2010

For retail CIOs, this is the worst of times and it is the best of times. It may be the worst of times because the emergence of smartphones at the POS, the increase in the amount and availability of customer data, and the growing tokenization and end-to-end (E2E) encryption options may have CIOs (and their QSAs) reaching for the aspirin bottle. On the other hand, it may be the best of times because the CIOs who can address these challenges will be rock stars in their companies.

At the National Retail Federation (NRF) show this week, several vendors were pitching payment card readers (and other peripherals) that could attach to a smartphone, thereby converting it into a POS device. Some of the readers are already PCI PTS approved. With one of these and a Blackberry, merchants can move the POS from a fixed counter to anyplace inside – or even outside – their stores. And the best part is that merchants can have this wireless capability for a price far less than current wireless POS devices offered by most manufacturers. PCI Columnist Walt Conway can think of several merchants he works with that will be looking at these devices very seriously. But, he argues, the PCI implications are complicated.

This Story Is Only Available For Premium Subscribers. Click Or Login In Below To Read The Rest Of This Story.

Already a Subscriber? Login Here

Username
Password
Login
Forgot Your Password? \| Site License

Pages: 1 2

Posted in IT Strategy/Industry, Payment Systems, Premium Content, Security/Fraud

One Comment | Read NRF + PCI = CIO Job Security

Mark Bower Says:
January 15th, 2010 at 3:58 pm
A nice summary. NRF was certainly buzzing around true End-to-end encryption and tokenization. We’re not taking point to point. End-to-End is from swipe to acquirer, and/or swipe to PAN dependent merchant system – something only possible with new approaches I’ve mentioned here in the past.

What was interesting to me was seeing the contrast in the efforts of various approaches being tried. Some merchants we met for the first time had been struggling for 2 years already or more trying to achieve this and still stuck in pilot with older style tokenization and legacy encryption which struggles when it comes to the change impact in legacy hardware/software and when taking into account critical back office functions like velocity checking and fraud investigations, e-discovery etc. When I described how we’d already taken Tier 1′s through this to PCI compliance in a fraction of that time with Format Preserving Encryption there was a lot of excitement – these new approaches avoid exactly the change impact they were struggling with in integrating encryption and tokenization into the complex merchant legacy environment and processes.

Another highlight for me was how many merchants really do see the need to go well beyond PCI DSS which as you note is falling behind the fast path merchants are heading in new areas like mobility – what a hot topic at NRF! Merchants not only want to explore new payments acceptance like mobile, but want to also cover employee data, partner communications, and other privacy regulated data in a single swoop. Of course, our conversations drift to those areas as we solve those challenges too with our overall data protection platform – but it was striking nonetheless. The concern being what’s the point of investing several million in PCI compliance and focus just on credit card data and and leaving equally sensitive data at risk – SSN’s, Tax Data, competitive strategy information, HR data on vast numbers of past and present employees in a very high staff turnover business.

So from uplifting show at NRF I see 2010 being one of not only E2E and Tokenization in the payments side, but solving the big picture – sensitive data organization wide. That’s where the real ROI will be for merchants in data protection investments. No point being the front page breach news if your systems are compromised and all your employee data is exposed – its the same reputation and brand damage impact.

Readers, specifically those who want to comment on a story:
Our Comment SPAM system is getting very aggressive these days and has been blocking legitimate comments. If you post a comment and don't see it appear within 2 hours or so, can you please send a heads-up to customer-service@storefrontbacktalk? Ideally, please include the time you posted the comment. That will allow us to try and hunt for it. Thanks! P.S. We're working on fixing the system, but we don't want to lose any valuable comments in the meantime.

Weekly, Monthly Newsletters

Quickly catch-up on the latest in E-Commerce and Retail Tech with our free weekly report, with urgent bulletins as news merits—along with our monthlies on Mobile, Security, In-Store, E-Commerce and CRM.

Kindle Convenience - StorefrontBacktalk is now available natively on the Kindle so you can read us on the place without a connection.

Read StorefrontBacktalk's Retail Realities Column every week at CBSNews.com. Please click here for an archive of those columns.