Earlier this week, MasterCard officially (well, sort of officially) confirmed that retail chain TJX was not in compliance with Payment Card Industry rules at the time of the $16 billion retailers infamous January disclosure of a massive data breach.
The significance of this news is not the fact that TJX was not complying with the rules themselves. As former federal prosecutor Mark Rasch said: “Its hardly surprising that they werent PCI-compliant. Thats from the Department of Obviousness.”
Nor is it newsworthy that MasterCard opted to confirm the chains PCI-less state, although it is interesting. It might be a hint of the level of anger that many in the industry feel about the way TJX has been handling its crisis, coupled with a generous dose of CYA. In any other situation, its truly hard to envision the normally media-shy MasterCard going out of its way to publicly confirm that a retailer was not compliant. Officially, it merely confirmed that TJXs U.S. credit card transaction processor (technically: acquirer)—Fifth Third Processing Solutions—had reported to MasterCard that TJX wasnt PCI compliant.
No, the true newsworthy aspect of this news is how it illustrates the irrelevance of PCI today, when it comes to retail security. To say that PCI has achieved a toothless reputation today is being generous. Its akin to those home page declarations that a site has been certified as safe. It only provides comfort to those who dont think about it very much. PCI has become a Santa Claus entity: It only works for those who really want to believe and who are willing to conveniently ignore any facts that disprove it.
PCI certainly doesnt have to be toothless. It has provisions for serious financial penalties and for even banning a merchant from accepting credit or debit cards. But for it to be taken seriously, the credit card industry and retail industry must undergo a radical attitude conversion. Are MasterCards comments the first indication of someone trying? A tentative, toe-in-the-water, half-hearted try perhaps, but a try nonetheless.
The industry must not only use those fines and penalties, but it must do so publicly—very publicly. Were talking about a news conference every time a fine is issued, and fines need to be issued every week. The announcements must be explicit and specific, detailing for the world what the retailer did—or failed to do—and why. For some retailers, the humiliation and embarrassment associated with such a disclosure might be worse than the penalties and thats a good thing.
Retailers need a cost-benefit analysis that makes it worthwhile to heavily invest in security. They must constantly see what happens to companies that fail to comply and its critical that they must fear those consequences. Today, few retailers have that fear. Is the threat of rescinding a retailers ability to accept credit and debit cards a true deterrent if no retailer believes it will ever happen?
The next step is taking a much more strict position with PCI-compliance audits. The fact that the auditors in questions are paid by—and are given instructions by—the retailers being audited is the most textbook conflict-of-interest Ive seen in quite some time. Why not have the auditors working for the credit card companies or the banks? Why not give the auditors the ability to explore any and all systems, as opposed to just the ones the retailer wants examined? The rules were written assuming that retailers would want to know what was really going on. But what if some key managers with that retailer were deliberately retaining forbidden data, perhaps for a CRM (customer relationship management) project? Is that Auditor Fox guarding the Retail Chickens?
When the retail and banking industries want to take security seriously, they already have the tools to do so. Until then, please forgive us if were yawning at a multiyear-in-the-making data breach (which wasnt discovered for years). Its hard to get worked up about a retailer not taking seriously something that the banking and credit companies dont care about, either.
Retail Center Editor Evan Schuman has tracked high-tech issues since 1987, has been opinionated long before that and doesnt plan to stop any time soon. He can be reached at [email protected].
To read earlier retail technology opinion columns from Evan Schuman, please click here.