The race is on between companies that secure retail networks and hackers who compromise payment-card data.
According to the 2007 benchmark study conducted by Retail Systems Research (RSR), nearly 50% of retailers surveyed were in compliance with the Payment Card Industry’s (PCI) standards and regulations. That represents a pronounced increase from the 2006 study when only 28% met PCI compliance.
The RSR 2007 study revealed that the size of a retail organization influenced the degree of compliance, with mid-size retailers running ahead of the larger, Tier 1 retail companies that were, for the most part, still working toward compliance.
Challenges associated with compliance also varied with the size of the organization. A majority of the Tier 1 retailers, 58%, indicated that developing and maintaining secure systems and applications was the most difficult aspect of PCI compliance. For 64% of mid-size retailers, the greatest challenge was tracking access to their networks.
These statistics, shared during a recent Webinar co-hosted by Chain Store Age, RSR, Trustwave and AirTight Networks, led to a discussion of how retailers can best achieve PCI compliance and secure networks in a wireless world.
Convert C-level executives: It would be hard to find a retail executive unfamiliar with the infamous TJX Cos. data breach, at least some of which resulted from an unsecured wireless network, and the staggering casualties that ensued including some 94 million payment-card accounts compromised and liabilities that will likely exceed $4.5 billion.
Despite this toll, the RSR report revealed retailers perceive PCI compliance as having more benefit for technology than business performance.
“Only 29% credited PCI compliance as having ‘great value’ for their company,” stated Steve Rowen, partner, RSR, Boston.
Rowen’s suggestion was to elevate the discussion from the IT department to the boardroom, so decision-making executives might develop an appreciation for the value of compliance. However, he cautioned, “Focus on the business drivers, not the technology.”
Additionally, retailers need to understand that compliance with PCI requirements, although a necessary and logical starting point, does not in and of itself create a secure network.
Identify vulnerability in existing processes: Ironically, even executives who reco