From The Editor | April 13, 2009

Lessons Learned From Q1: PCI Compliance, The Recession, And What Lies Ahead

Without A Queue

By John Roach, Editor, Retail Solutions Online

Retailers reeled from a devastating 1-2 punch during the first quarter of 2009: an unprecedented data breach and the worsening of a historic economic recession. Here's a recap of the two, an analysis of their tremendous impact on retailers, and a look ahead so you can learn from both and plan effectively for the remainder of 2009 and beyond.

PCI Compliance And Card Data Security Take Center Stage

The Recap

PCI compliance, card data security, and the damages arising from data breaches temporarily topped retailers' list of worries in January when Heartland Payment Systems announced that hackers had infiltrated its system. The incident compromised up to 100 million payment card transactions and 250,000 businesses, becoming perhaps the largest data breach ever reported.

The Impact

For retailers, the potentially devastating financial losses and questions of liability still linger. "Everyone is looking and hoping they're not the next victim, and trying to figure out what they can do to make sure a security breach doesn't happen to them," Protiviti's Scott Laliberte, a managing director with the company's Global Information Security Practice, told me.

Retailers aren't alone in looking for solutions. At a U.S. House of Representatives hearing on March 31, lawmakers and retail experts challenged the effectiveness of current PCI Data Security Standards (PCI DSS) regulations. "If we care about keeping money out of the hands of terrorists and organized criminals, we have to do more and we have to do it now," said Rep. Yvette Clarke (D-N.Y.), chairwoman of the subcommittee of the House Committee on Homeland Security, as reported in Computerworld's story, "PCI Security Standard Gets Ripped at House Hearing."

The Future

Most retailers would prefer not to store cardholder data (CHD) on their POS systems but must under PCI DSS rules. An alternative approach that's gaining momentum — as a result of recent breaches and what's seen as the overly complex nature of PCI compliance — is tokenization. This process collects and stores sensitive CHD in a centrally secure and PCI-compliant repository, assigns a token to reference each transaction, and replaces the CHD in all points of entry and point of sale payment applications with this token.

"If there is no cardholder data in the picture, PCI is very manageable and compliance will be within reach for many of the smaller and mid-sized merchants that make up the backbone of our U.S. economy," noted Randy Carr, VP of marketing for enterprise payment solution developer Shift4, in an e-mail to me. He also pointed out another potential benefit of tokenization: "Part of what the card brands charge is for the risk of loss and theft. If we fix that, they will have to charge less."

Carr says his company has taken steps to advance tokenization with its 4Go SecureSuite, which sits in front of the POS application and produces a token that is passed to the POS system. As a result, the POS system doesn't handle real card information, only tokens, which cannot be decrypted and are therefore useless to anyone outside of the system. "The next wave of security discussions will be about new solutions that intercept the data before it enters the POS system," Carr noted. "If the data is not there, it can't be stolen."

"Tokenization is not a magic bullet, but it is helpful as a way to centralize card (and other confidential) data," PCI Knowledge Base founder Dave Taylor e-mailed me. "The technology has the same type of impact as outsourcing card processing — simply reducing the volume of data with fraud potential and the number of places it's stored. That still leaves a ‘central point of failure' risk, but the overall impact is a reduction in risk and compliance costs." Taylor says there are roughly six companies involved in tokenization now, with that number to double possibly by the end of summer.

What we've learned so far in 2009 is that the card data security and PCI compliance rules are evolving. The credit card companies and Congress are searching for answers, so the more advanced technological alternatives you can explore that make the protection of your customers' data the first priority, the better your chances at being prepared for the future.

The Retail Economy Worsens

The Recap

The retail story of 2009 so far, of course, is the recessionary economy and its impact on the industry. In March, U.S. retailers cut 47,800 jobs, making it the 14th straight month of retail job losses, according to the Labor Department. Retail job losses have accounted for 13.2% of the 5.1 million U.S. jobs cut since January 2008, according to the Associated Press. Nationally, the unemployment rate rose to 8.5% in March, the highest since late 1983.

President Barack Obama's $787 billion economic recovery bill, passed in mid-February, aimed to soften the longest U.S. recession since World War II (now in its 17th month) through a series of spending initiatives. Retailers, however, were pessimistic about the bill's prospects, according to our online poll. More than 80% of respondents answered "no" to the question, "Do you think Obama's plan will work?" And only 15% thought the bill alone would help the economy. (Click here for the complete poll results, along with noteworthy comments from retailers on the bill.)

The Impact

In late March, the U.S. Department of Commerce issued a positive report that new orders for manufactured durable goods rose 3.4% to 165.6 billion in February, breaking a string of six straight monthly decreases. Similarly, seasonally adjusted retail sales rose 0.6% in February, the second straight month of growth after seven consecutive months of declines. That's all good news.

On the down side, the International Council of Shopping Centers estimates that 73,100 retail stores will close during the first six months of 2009, after roughly 148,000 shut down in 2008, the most since 2001. And early indications show lukewarm plans from major toy sellers and high-end merchants who have already begun to make their holiday shopping orders.

The Future

Federal Reserve Chairman Ben Bernanke told Congress in late February that, while the recession would continue to contract through the first six months of 2009, "there is a reasonable prospect" the recession will end this year. He hedged his prediction by saying a recovery would require the credit and financial markets to operate normally.

Others on Wall Street weren't as confident. "Our economists are not projecting a recovery until late 2010," J.C. Barone, executive director of JP Morgan's Credit Trading Desk, told me and others at a mid-quarter Vendor Compliance Federation summit. "This is different than past recessions because it's a lot broader and it affects more industries than ever before."

Forecasting is part of Devon Wolfe's job as Pitney Bowes Business Insight's managing director of Americas strategy and predictive analysis for retail. And what he sees for the remainder of 2009 isn't full of holiday cheer. "It looks," Wolfe told me, "like things should continue to get worse throughout the rest of the year."

So what can you expect when the government is saying one thing, analysts another, and reports are offering a contradictory mix of both? It seems that for the remainder of 2009, the only certainty is economic uncertainty.

Have a comment about this article? Let me know. Visit our blog or contact me at