Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

PCI And The Circle Of Blame: Page 9 of 11

There are significant flaws in the PCI system as it stands. But for CIOs who want to tighten security, it can provide leverage to fund new investments or serve as the impetus to adjust business practices or revise security processes. "We've always valued customer information and protecting customer info," says the CIO of an outdoor clothing retailer. "It's just that operationally, some things got easier if we were looser." He says PCI provides the incentive to tighten up certain business operations.

And many Level 2 and lower merchants do take self-assessment seriously. Church's Stukalsky says a team of six IT staffers spent three to four weeks reviewing the questionnaire. They also hired a QSA, which isn't required by PCI rules, to help identify where changes needed to be made to IT systems and processes. Church's has about 1,200 U.S. restaurants.

Stukalsky says the company revised its password policies and became more aggressive about updating software patches. He also says that recent investments in point-of-sale equipment and new network connections for the restaurants, which the company had undertaken before PCI requirements, went a long way to smoothing compliance.

Merchants complaining the loudest may be the ones that need to put the most investment into modernizing their infrastructures and managing customer data. "I'm not sympathetic with organizations that whine because they obviously haven't put a good security structure in place," says PayPal's Barrett. "If you're using old, outmoded technology that can't protect data, I'm not sure it's appropriate for you to take custody of that data."

WHAT'S NEXT?

There's no question that concrete steps must be taken to protect credit card account data, and at the moment PCI is the best effort, despite its flaws. Here are some ways those concerned with security can work to improve the system.