The Green Sheet Online Edition
July 09, 2007 • Issue 07:07:01
PCI compliance: A brand builder, not a burden
Talk to any merchant who's trying to comply with the Payment Card Industry (PCI) Data Security Standard, and chances are you'll get an earful: It costs too much, there's no clear return on investment, it's hard to implement and more.
Foot-dragging on compliance by merchants of all sizes has been the order of the day since the first version of PCI came out in January 1995.
Statistics released by Visa U.S.A. earlier this year show today's compliance levels range from just 35% for the largest (level 1) Visa merchants to 51% for small to mid-sized (level 3) companies.
Even though Visa has put a positive spin on the numbers - citing, for example, an increase in level 1 merchant compliance from 18% last year _ this can hardly be called a stampede.
Of course, getting a company up to speed with PCI is a monumental task. But last December's incident involving The TJX Companies Inc. (the largest known data breach with 45.7 million consumer accounts compromised) is a strong indication that the data breach/identity theft epidemic isn't going away soon.
That means we can count on increased information security-related legislative efforts. The Texas House of Representatives' move last month to turn PCI compliance into a legal requirement (HB 3222) is only the tip of the iceberg.
If the bill passes the Texas Senate, which looks very possible given the 139-0 vote it garnered in the House, look for a rush of copycat legislation in its wake.
Now that you've convinced your merchants that PCI-compliant data security is inevitable, how can they "make lemonade" out of all these onerous requirements? There is an often overlooked way to do that: It's the old-fashioned axiom to accentuate the positive.
Just for a moment, put aside the FUD (fear, uncertainty and doubt) about security risks typically waved in front of merchants to nudge them into ponying up for PCI compliance: big fines from the Federal Trade Commission, negative press, ejection from the Visa/MasterCard Worldwide universe and so forth.
Not that these aren't substantial risks - they absolutely are. And they need to be weighed seriously in any retailer's information security plan. But among all the sticks, there's also a rather large carrot: security as a brand builder.
In security we trust
When it comes to processing payments, security sells. That's because security builds trust, and when a retailer handles my money (or information that allows access to my money), I'm not going to have a warm and fuzzy feeling about it unless I trust that the merchant has taken the appropriate steps to keep it from being stolen.
The banking industry has known about it since the Medici family set up its first bank in the 14th century.
If you want to be impressed by how secure a money handling facility can be, visit Fort Knox or one of the data centers operated by MasterCard or Visa (actually, you probably can't visit them because they're too secure).
It's not a coincidence that many financial institutions include the word "trust" in their company names and that their industry spends more on security than just about any other. The nontrivial amount of money these organizations generally make is directly and deeply linked to the security they deploy.
Slippery money morphing
What is new is that in the recent past, e-payments and the Internet came along and turned "money" from pieces of paper and metal into bits and bytes that could be stored, copied and beamed to the other side of the globe in just a few seconds and on a massive scale.
The number of individual parties with access to large quantities of sensitive consumer data rose exponentially. And opportunities to commit fraud went right up in tandem.
Merchants have newfound access to all this tempting data, especially those who do business online. In the old days, handling customers' money was a lot easier: Take their cash, check or credit card; put the paper in the register; and take it to the bank the next morning.
Sure, there were security issues. Merchants could get robbed on the way to the bank, or an employee could divert some of the checks, wash them, and deposit them into a personal bank account.
But the risks were all relatively small: In most cases retailers were only out the face value of the individual bills or checks stolen. In addition, money was bulky, and unscrupulous help had to find a safe place to hide it.
Now, employees can hide thousands or even millions of account numbers in a single encrypted file on a server in Romania. (They were easily stolen; there was no encryption on the server. The merchant didn't even know about the theft until news of it hit the papers, because the original records were unaltered. The thieves just copied them.)
Guardians taking wing
Today, as a result of computerization and networks, merchants have become money custodians in a way that's much more akin to banks than to the paper-based merchants of the past. And, as they do with banks, consumers entrust merchants to keep their confidential account information safe and secure.
In the electronic world, a million account numbers are a million account numbers, no matter who happens to be storing them. However, while safeguarding customers' money is a core business of all banks, for most merchants this is only a means to an end - a way to facilitate the sale.
The advice for merchants here is to start thinking and acting more like banks. In other words, give top priority to securing sensitive personal data. Then, once strong security is in place as evidenced by PCI compliance, fold it carefully into marketing messages.
Merchants must be careful because it tempts fate to trumpet how secure their shops are. They should focus on their commitment to security and cite specific security measures in place, without revealing information that would help the cyber criminals.
Every time a new data breach or case of identity theft hits the evening news, consumers lose some of their confidence in shopping and paying electronically. That, for certain, does not help make sales for the majority of merchants who haven't stepped up to industrial strength data security.
At the same time, it creates a distinct competitive advantage, as well as a branding opportunity, for the minority who have. Some savvy merchants have already discovered how well security sells. The avenue to get there is PCI compliance.
J. David Siembieda has been the President and Chief Executive Officer of CrossCheck Inc., a national check approval and guarantee provider, for over six years. He has more than 16 years of experience in the check services field. He serves on the board of directors for the Electronic Transactions Association and the Wells Fargo Center for the Arts. He is also Chairman of the Board for the Heritage School in Petaluma, Calif. He is Chairman of the ETA's Membership Committee and is also a member of NACHA's Electronic Check Council. Dave was recently chosen by the North Bay Business Journal as one of the 40 under 40, a list recognizing exceptional young professionals. CrossCheck, Inc. has been at the forefront of check authorization services and technology since its inception in 1983. For more information on marketing check services and CrossCheck, please call 800-654-2365 or e-mail firstname.lastname@example.org.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.