Pci Dss: Is It Worth It?

By Author: Hugh Springer
Total Articles: 4762
Comment this article

Since the TJX security breach became public in 2007, "security" has been the mantra for the e-commerce community. The retail giant-which runs T.J. Maxx, HomeStores and Marshalls in the U.S. and other stores around the world-lost tens of millions of customer credit card records in 2005 and 2006 and suffered losses in the hundreds of millions of dollars. All this occurred, it turns out, because of a single unsecured wireless network in one store. The PCI DSS (Payment Card Industry Data Security Standard) was designed to foil this kind of attack, but has a wider mission, too.

Besides the tremendous damage done to the company's finances, the various losses incurred by its customers and the remedial efforts that engaged an entire industry, TJX suffered a serious blow to its reputation and brand names. This was, after all, a large, powerful, international retailer that was assumed to have first-rate security. It "should" have been safe to use a credit card at any of their stores, in any country. It wasn't. Why would customers risk giving the company their credit card information again? How could these kinds of losses-of revenue, ...
... reputation and credibility-even be quantified?

"Community" standards?

The TJX breach and subsequent move to develop better security measures, both preventative and remedial, have had several unexpected results. Among other things, it became acceptable to speak of "the greater good" -which, in business, can be a very controversial topic. Businesspeople typically resonate with such terms as "innovation," "positioning," "branding" and "innovation," concepts and strategies that are competitive in the extreme at times. Developing standards for the "retailing community" seemed, to some, to be at odds with a business's primary mission, which is to make money for its shareholders, period.

To coin a phrase, perhaps that "period" needs to become a semi-colon, and allow for some measures that leverage the reach of an entire industry find a broad-based solution to a tangible threat. Make no mistake, the threats are real and the paranoia caused by the TJX hack attack is spreading like a viral e-mail scam. There are more companies smaller than TJX than larger, and the CEOs and CIOs of these firms have to wonder, If it can happen to a big shot, doesn't that mean it can happen to me, with even worse results? If it happened to TJX, couldn't it happen to Wal-Mart, Chase Bank and anyone else, regardless of size?

How do you measure trust?

We live in the Digital Age, where we send personal and financial data around the world at the speed of light, where card-not-present transactions are becoming the standard model and where consumers expect to be protected. The first two observations here are good for the credit card industry, but when the expectation of security goes unmet, it becomes an issue of trust. Any damage to the payment card industry's reputation for trustworthiness, safety and security is a very bad thing.

It is not only bad for the industry, of course, but for every company that is struggling to succeed-in a booming economy or a recessionary one. It's hard to measure trust in an abstract way, but it is clear that system breakdowns like the TJX incident do tremendous damage to every company that is part of that system.

PCI DSS to the rescue?

The five major credit card firms designed the PCI DSS to define, implement and guarantee a certain level of security for all payment card transactions. Within the 12 different requirements in the PCI DSS there are more than 200 individual security controls and protocols. The Payment Card Industry now requires every company that is processing, transmitting or storing credit card data to be fully PCI compliant.

Like any other mandate, of course, PCI compliance does not happen with a snap of the fingers, and adhering to the security measures-and revising or devising systems to implement them in the first place-can take a serious investment of time, money and expertise. Is it worth all the time and expense? Are you capable of giving PCI DSS compliance your attention when there always seem to be other problems demanding solutions? How important is it?

Call it "mission critical"

The situation will not improve by itself. When you have a problem of this magnitude staring you in the face, the only time to take care of it is "immediately." There are plenty of arguments you can make (to yourself, if you're the boss) to put off compliance, to take it slow, to put it down the to-do list a few numbers and otherwise procrastinate. After all, it hasn't happened to you, and you're not responsible for everyone else.

Concepts like the "greater good" and "retail community" just don't seem to have a place in this kind of thinking. However, that is classic "short-term" and selfish thinking, when this problem cries out for a long-term, cooperative solution. It is important that consumers feel safe in today's retail environment, which is a mission-critical issue for every business. By definition, an "environment" is quite a bit larger than any one merchant-and even if you are never hacked, you'll be out of business if the system crumbles around you. A safe, global retail environment is only possible when every company is PCI DSS compliant.
About Author:
At Card Processing Pros.com we provide merchant credit card processing services and debit card processing, literally setting up hundreds of clients per month to process card payments for storefront, Internet and phone/mail order-based businesses. We also offer services in electronic check and gift card processing. Visit online today.