Whos in charge
?"> Another PCI deployment hurdle is the "Whos in charge?" debate. Hotka said that issue came up repeatedly as her organization tried to identify the proper people to meet with. It was very difficult "to locate the correct people within each company. I think we found a total of four people (within retail) who had the title of chief information security officer," Hotka said. "Many people had the CIOs in charge, there were VPs of architecture, directors of application development, there were compliance folk. In some cases, the right person to talk to was the loss prevention person."Rasch commented that the responsibility confusion is especially ironic, given that its one of the few areas where PCI guidelines are unusually explicit. "One of the things that PCI requires is that you have an individual responsible for information security," he said. Rasch argues that the way PCI guidelines are written are not the problem and that significant wording changes could easily make the situation worse. "If you were to write them even more explicitly, that would create even more problems. The PCI standards are intended to be just that: standards and guidelines of good behavior. If you get to too much of a level of granularity, then youre going to get into some really difficult problems where they just dont work in the real world," Rasch said. "So theyre intended to be fairly high-level reasonable standards of things to do. The problem is that if theyre too broad and too general, you cant audit against them and you cant certify compliance. If theyre too detailed, they dont work so there has to be a balance between them." How, then, do the problems crop up? "What happens is the auditing firms and the people who do assessments against PCI standards come in and theres a certain amount of interpretation that they have to do to say, This is a good program and this is a bad program," Rasch said, adding that the only response is for a retailer to prove that adequate compensating controls are in place so credit card transactions are, in reality, not in danger. What is a retailer to do if an audit firm says a reasonable legitimate business practice is against the guidelines? "What you do is you go find another audit firm and you demonstrate to that audit firm that you have adequate compensating controls," Rasch said. "And if it really becomes a violation of PCI, then youve got to go back to Visa and MasterCard and say, Listen, we either need an exception or we need the rule changed because this is not a genuine threat. Its not a real threat to payment information and we should be allowed to do this." Another panelist at the audiocast was Jupiter Research analyst Patti Freeman Evans, who has worked extensively with retailers on PCI issues. "It was very hard to understand what the compliance really meant and what it meant to our systems and procedures," Evans said. "And then, once we got a grasp on that, then we had to understand how long it would take us to comply, what the costs were going to be and then how we could make a case for it. Well, heres the reporting. At least were reporting that were not doing it right. At least we know that were not doing it right and were making some reasonable effort to actually get there." Evans then asked fellow panelist Rasch whether that was how most retailers were handling PCI issues. "Oh, if only they were up to that standard," Rasch said. "Right now, people are circling and dancing around PCI. The large retailers are starting to do assessments to see where they are and put plans in place to become more compliant. The smaller merchants are saying, PCI? What does that stand for?" "Retail Center Editor Evan Schuman can be reached at Evan_Schuman@ziffdavis.com. Check out eWEEK.coms for the latest news, views and analysis on technologys impact on retail.
For many retailers, executives do a knee-jerk point to the CIOs station. "Some companies will point, just by default, at the CIO and say, Oh, the buck stops there," Hotka said. "But the CIO in fact may not know anything about this and is the person who just signs something periodically."