payments - Retail Systems
payments - Retail Systems
payments - Retail Systems
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
RS<br />
38 RS June - July 2012<br />
roundtable<br />
AJ: In the education process is that listed as one of the areas<br />
retailers should look at?<br />
CP: Yes, but perhaps there hasn’t been enough emphasis on it.<br />
When you look at the guidelines for PCI on the council website<br />
it goes through the details, but I think it’s probably one of the<br />
details that hasn’t been brought up sufficiently. If you’re talking<br />
to a supplier who’s perhaps doing something internationally,<br />
their data centre in Phoenix, Arizona, is compliant, but they<br />
may have a data centre here in the UK that hasn’t gone through<br />
compliance. So as a merchant you need to know which data<br />
centre your data will be going to and whether or not it has been<br />
assessed. That’s the beauty of the attestation. If you look at<br />
Phoenix Networks and Semafone and the detail in which they’ve<br />
been assessed, that’s how you know they’re the right partner<br />
for you as a merchant.<br />
CN: It’s probably worth saying that the level one, level two<br />
service provider – level two is only processing up to 300,000<br />
transactions a year. So do you really want to be putting your<br />
business in the hands of a company that’s only dealing with<br />
300,000 transactions a year? And they are the ones who are<br />
allowed to self assess. You want to be dealing with level one<br />
service providers; level two is just too much of a risk because<br />
you’re just back to ticking boxes again.<br />
AY: Fraudsters are very clever aren’t they? They know that<br />
level one and level two have probably got it sorted and so they’ll<br />
go for the weakest link. Recently Alan and I spoke to various<br />
trade bodies, the retail motoring industry, the association of<br />
convenience stores and several others. We found that now is the<br />
time to get that message out there to the wider audience about<br />
outsourcing and the importance of PCI, because that’s where<br />
the breaches are going to take place.<br />
MG: But only if we do it using language that they will<br />
understand.<br />
GT: And they probably need to understand what outsourcing<br />
is because outsourcing isn’t like, take a call centre and give it<br />
to somebody else. It’s like using a service that ensures you can<br />
continue to use your own contact centre except you’re not<br />
bringing any card data into your organisation. So we even need<br />
to be clear about what we mean by outsourcing because it could<br />
be totally misunderstood. Merchants might think they have to<br />
outsource all their IT to a separate business because that’s how<br />
they use the term within their own environments.<br />
CP: I think that’s a very key point because when you look at solu-<br />
tions that are available, a number of them bring the card data<br />
into the environment; therefore you’re left with the expense<br />
and worry of having to protect all that data. Whereas there are<br />
other solutions where the data never comes into the environment.<br />
And that’s key because if you’re looking at the cost of<br />
compliance, especially as you go down the food chain, you have<br />
to be conscious of the ongoing costs because it isn’t a one off<br />
solution. Especially in the level one group that I chair, we talk<br />
about the importance of establishing what level everyone is at.<br />
Of the 35 merchants in my group there are five who have been<br />
compliant since 2010/11 but at the meeting on 6 March almost<br />
all of the rest of the group said they would be compliant by the<br />
end of this year.<br />
A SB: There is a perception out there that PCI compliance is a<br />
very hard thing to achieve.<br />
CP: And there’s a perception that it’s simply a one off job. But<br />
it’s not, it’s continuous. That’s why outsourcing is so important;<br />
it means retailers only have a limited amount to do. You never<br />
get rid of the SAQ, there’s always an SAQ of some sort which<br />
obliges you to be secure in the important areas.<br />
GT: It’s very interesting looking at North America now because<br />
the merchants started this journey so much earlier than us.<br />
Most of them have already reached compliance and now they<br />
have seen the business as usual costs they are much more keen<br />
on the de-scoping issue. So it’s very easy for them to justify<br />
taking that card data and removing it from their environment.<br />
The challenge in this market is that PCI kicks off a whole load of<br />
other projects, it kicks off a network project, a desktop project,<br />
a CRM project, a telephony project. And everybody gets their<br />
budget and goe on their journey without looking at the holistic<br />
card journey. The problem with that is all those departments<br />
have been wanting to buy a whole series of tools forever and<br />
then PCI comes around and they think: ‘Hey, I’ve got a budget to<br />
buy exactly what I wanted to. We should have invested in that<br />
years ago, that’s good information security.’ And so everybody<br />
goes and spends their budget on that instead of questioning<br />
whether they really want card data in their environment.<br />
CP: One of the key things to take away from this is that you<br />
can manage without data. My experience with the Post Office<br />
proves that. <strong>Retail</strong>ers should be limiting the scope by keeping<br />
card data and personal data in one particular area so it can<br />
be easily protected. This is not about abdicating responsibility.<br />
You can’t build a business case on protecting card data but we<br />
should all be responsible for protecting personal data for our<br />
customers. Anyone who has data has a responsibility.