StorefrontBacktalk Industry News Brief

Whether it’s mobile payment fiascos, PCI security changes, E-Commerce hiccups at your largest rivals or new CRM legal hurdles you now need to clear, StorefrontBacktalk lets you know first. Sign up for our free weekly email newsletter today!


PCI: It’s Not Just For Payment Anymore

Written by Evan Schuman
February 14th, 2008

As retail CFOs begrudgingly approve extensive dollars to help with PCI accreditation efforts—even though many IT departments are using those dollars for projects that primarily have little to do with security—many are discovering that a program designed to protect payment data will also do a fine job at protecting almost any other kind of data.

With CRM systems trying to interact with Web analytics, mobile databases, purchase and returns histories and tons of other non-payment databases, the amount of non-credit-card data that is at risk easily dwarfs Visa transactions.

The same common sense guidelines that are the soul of PCI—dealing with wireless, encryption, knowing what you’re retaining and retaining only what you need—can be widely extended. But the same checklist mentality that is PCI’s weakness also pigeonholes PCI into only being used for payment, which is silly.

As much as the amount of data collected by retailers has soared in the last 15 years—coinciding with the emergence of the Web, which made retailers discover the much older Internet—that’s a footnote compared with the data expansion likely to visit merchants in the next three years.

Why? Merged channel, mostly. As retailers mature beyond multi-channel into cross-channel and then into the final phase of merged channel, two things are going to have to happen.

First, every one of those channels will have to clean up its digital records-keeping act. For example, call center personnel will need to take extensive notes about every conversation and save it into the system, so that it can later be access by their in-store and online counterparts, let alone other call center people. In-store associates will have to get used to entering notes into a database every in-person customer interaction, too.

Secondly, those files will have to be made homogenous and then the floodgates will open for data-sharing. From the IT perspective, that is going to increase customer-specific data by an order of magnitude.

This data will be highly desired by cyber thieves and merchant rivals (there’s a difference?). Conveniently, the same rules within PCI will protect everything else. But to make it work, it’s essential to put those systems and rules into place now, before the next tidal wave of data.

It will be hard enough keeping up with that new data without having to also learn new privacy data-protection rules. Checklist security is far from ideal, but as an organizational guideline for merchants about to enter a very disruptive data period, it’s actually not a bad start.


Leave a Reply

Readers, specifically those who want to comment on a story:
Our Comment SPAM system is getting very aggressive these days and has been blocking legitimate comments. If you post a comment and don't see it appear within 2 hours or so, can you please send a heads-up to Ideally, please include the time you posted the comment. That will allow us to try and hunt for it. Thanks! P.S. We're working on fixing the system, but we don't want to lose any valuable comments in the meantime.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 17,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.