Leverage PCI to Creatively Transform Your Organization

Posted On January 22nd 2009, by Dave Mahr

It is impossible to keep your organization 100% secure. Perhaps one day, there will be no incentive for hackers to want to penetrate retail systems. However, until the day comes when the financial institutions assume this respon­sibility, we must rely on ourselves to protect both our customers and our brand.

There is no "one size fits all" security solution for retailers especially when trying to corral such a diverse group of individuals and variables as in the retail space. But follow­ing a standards based program based on best practices gives us comfort that our actions are protecting us, or at least improving our situation. PCI compliance is purely pre­scriptive in nature (the exception being the state of Minne­sota) and as a result, it often takes a back seat to HIPPA and SOX.

In the best of times, it is extremely difficult to achieve consensus from a diverse set of stakeholders let alone in today's challenging economy where we are trying to "keep the lights on" and our budgets are continually being at­tacked. It is common to see our PCI related investments being considered optional and relegated to the bottom of the list and "wedged in" by the year end with the sole intention to achieve the compliance checkmark. Beware investment and actions taken for the sole reason of being compliant will forever be viewed as a waste of effort and, once completed, will be subject to change when the new rules are published. On top of all of these challenges, the majority of online merchants underestimate the time and budget required to reach compliance (Aberdeen Group, June 2008). So this is where we need to become more creative.

PCI enables us to reduce, prevent, and cope with fraud and security breaches. PCI DSS investments have undoubtedly improved our business processes and reduced costs by eliminating duplicate efforts and given us a "risk manage­ment based" foundation upon which we can build. With this solid foundation, we need to build plans to extend these investments to opportunities that add innovation and rev­enues to our organizations.

How do we accomplish this?

First and foremost, understanding business issues is critical when attempting to be proactive. Many of us have spent years building and supporting businesses and that gives us a unique perspective and opportunity to add insight to our organizations.

Document all of the potential funding budgets that exist in all of the people, process, and technology areas. Look for enterprise-wide opportunities to achieve compliance without having to buy new products. Financially architect or reduce duplication and create a self-funding program. Look for features that can be "turned on", or modules that can be incrementally added to. Build 1 year, 3 year, and 5 year views. Some budget areas to scour for funds could be:

  • Security: All aspects of currency of the environment. Build as much awareness as possible as to how security services support and accelerate business drivers.
  • Contractors: Can resources / technologies be redeployed in an operational manner versus a capitalized approach? Or, what about eliminating some of the contractor re­sources?
  • Software: Can you gain what you need from an existing product or company that you already have a relationship with? Perhaps enlist the assistance of procurement and they may be able to acquire this for less than you think.
  • Maintenance: The budgets have been probably shaved to the bone, but maybe an alternate sourcing strategy will lead to some form of transformation of cost savings.
  • Risk Management: Is there a risk avoidance measure that can be undertaken? Can this be funded from a special projects budget?
  • New Technology Budget: Are there some funds for re­search, SOA, or a "slush" fund? Any applications being "turned off? Any applications that should be retired? The 80 /20 rule applies.
  • Different Geographies: For national or multinational organizations with distributed decision-making there may be an opportunity to "pool" together funds.
  • Business Partners / Suppliers / User Groups: Can buying be grouped? Investments and Innovations shared?
  • Marketing Budget: What new enhancements are being requested? Branding? Are there any new programs or desire for a more responsive environment?
  • Education Budget: Do your employees want training / certifications in any of these areas? What about getting more support from vendors who want to use more of their products?

Once you have some ideas to investigate, you need to approach the business leaders or innovators and garner their support (if you need help to do this, just look at who is asking for new enhancements to the systems and who seems to get the funding). Go as high as you can in the organization and form a committee that has executive, financial, operational, and technical expertise.

Have the fortitude to stay the course. Even when a good plan or idea has been documented, day-to-day activities will get into the way. A big challenge is realizing that security and policy violations occur in a random manner and often with such potentially devastating consequences that we forget about strategy. When these breaches occur, we need to raise awareness on the issue and then adopt the appropriate processes/environment to prevent similar situations from occurring in the future. Be prepared and have clear goals with accountabilities and this will keep you on track.

We all know that reacting to a security breach is far more expensive and time consuming than proactively investing to prevent one in the first place. Attacks are becoming more complex and targeted victims are now smaller. Keeping systems and policies up-to-date is a "no brainer", as this will avoid many security breaches. Being informed of high-risk areas (wireless, new programs, etc.) is also criti­cal.

PCI Version 1.2 will focus activities in three areas: wireless transmissions, payment applications, and penetration test­ing. New guidelines are also expected to clarify some areas around protecting the life cycle of paper copies and im­prints that will challenge retailers in many new ways. A similar pattern will occur, people will underestimate the time and resources required to achieve compliance, and even after all the effort, the yardstick to be "secure" will be moved again.

So before we get frustrated when we realize that what the experts have been telling us is different from the auditors, or before we make the mistake of assuming that completing an audit means compliance, we have to fall back on making decisions based on best practices (PCI DSS) and applying our knowledge of the business. If we are fortunate to glean insights into how we can transform our organizations to make them more secure, then this may loosen resource constraints and enable us to add even more value to the business and, at the same time, keep the bad guys away.

By Dave Mahr