Long term approach to PCI compliance
Payment Card Industry (PCI) compliance is one of the most significant issue confronting retailers, no matter their size, type of business or geographic location. Identity thefts, frauds and misuse of credit card data are ubiquitous, given the advances of technology and the smaller world we live in. This forces the PCI regulators to enforce new set of rules and retailers to spend enormous amount of money every year to be PCI compliant.
I feel that this problem is here to stay and therefore retailers and PCI authorities should look at a long term strategy which would be beneficial to both parties and above all the end consumer whose identity and finance are at risk. I suggest coming up with a solution which does not require retailers to store credit card data in their data base at all. Credit card data can be stored in large data centers managed by organizations which will adhere to strict PCI guidelines. This will ensure greater control over data security for PCI authorities and relieve the retailers of the burden of maintaining customer credit card data.
Credit card data is handled by retailers in two areas of their business process. First, when the retailers authorize the credit card during payment in stores or online. Second, when the credit card data need to be retrieved. For example:
- during settlement transactions to actually charge the card
- during return transactions when the money need to be given back to the customer
- when the credit card data is required by retailers for customer analytics.
Most retailers use some kind of encryption and decryption logic to achieve these objectives. This however requires the retailer to store the credit card information, encrypted or otherwise in their own database.
During the payment process, retailers authorize the credit card. This requires the transaction amount and the credit card information to be sent to the banks for validation. Even though the credit card data is sent to the banks, retailers still end up storing the credit card data. I suggest that instead of storing the credit card data, retailers can store a unique identifier for the transaction. The actual credit card information along with the unique identifier can be stored in the data centers maintained by PCI certified organizations and can be controlled by strict PCI compliance guidelines. The unique identifier can be used whenever the actual credit card data for the specific transaction need to be retrieved.
I understand that the above solution is easier said than done and requires significant investment by retailers, PCI authorities and large corporations who own the data centers. It requires investment in technologies to have the rock solid secure channels of communication. It also requires resolving technological challenges to make the data centers full proof from security threats. Issues such as customer analytics using credit card would still remain and need to be resolved.
That said, I believe that if all parties involved tie up to invest and resolve the technological and process related challenges, 5 years from now, this investment would benefit every one. Thousands of retailers will save on investing in monitoring their credit card data and complying with new PCI compliance guidelines every year. PCI authorities and credit card providers like Visa, Amex and Master card will have to manage only a handful of companies and their data centers instead of auditing thousands of retailers. It also opens a new area of business opportunities for organizations maintaining these data centers
