Is PCI Compliance a Ticket to the Boardroom?

Here are some PCI-related issues that should be of interest to senior management, and they may require you to make a trip to the boardroom.

The Payment Card Industry Data Security Standard (PCI DSS) is old hat, at least when it comes to how senior management thinks about it. They’ve heard it all before. The standards have been around for five years and executives view PCI compliance as a necessary evil and something that is delegated to the security team. But here are some PCI-related issues that should be of interest to senior management, and they may require you to make a trip to the boardroom.

A Guide to Practical PCI Compliance

* Connect PCI compliance to fraud and risk management. Even though one of the original justifications for introducing payment security standards was to reduce fraud, it’s almost impossible to find any organizations that can demonstrate that all the security spending has actually resulted in fraud rate reductions. It’s not just that causality cannot be proven, it’s that the data simply isn’t being collected and the PCI project teams rarely even include the people who investigate, measure and manage fraud.

To remedy this situation, the PCI Knowledge Base has partnered with the Merchant Risk Council to investigate and measure the connection between PCI controls and fraud. We believe this is exactly the kind of information that executives need to see, since it will connect IT security spending to the bottom line. The results of this research are due the end of this summer, so stay tuned.

* New sales channels: Secure mobile payment. Nothing excites upper management like new sources of revenue. So being able to sell products and services to consumers as they play with their cell phones, iPhones, GPS devices and other PDAs is both trendy and new. However, all these payments have to be secured, which is where PCI comes in. It is important that executives understand how payment security impacts this new revenue stream, both from the perspective of what devices to use, as well as how the new payment systems and providers can be integrated with existing sales channels and applications. Most boards would welcome a tempered presentation on how to effectively secure and integrate the mobile payment process into the business.

* Reducing risk and cost by payment outsourcing. CEOs, treasurers and board members are concerned about risk management. In general, they recognize that collecting and retaining confidential data creates risk. PCI compliance fines and compliance mandates flow through the CFO or treasurer and may be discussed in board meetings. These days, more and more merchant banks and card processors are pitching to financial executives the concept of payment outsourcing, so there is little or no cardholder data stored within the merchant to protect. While senior management knows they cannot outsource liability itself, the idea that payments and payment data management can be outsourced, thus reducing PCI compliance scope, is becoming attractive. A presentation of the pros and cons of such a strategy is definitely boardroom worthy.

* Security breaches impact brand value. As boardroom pitches go, this one is pretty tired. It is important to “stay out of the paper” by spending the money needed to avoid security breaches, but it turns out that TJX and Hannaford Bros are still in business. The millions of dollars they had to pay may have hurt profitability, but the overall brand damage has not been appreciable. Fear appeals are important so upper management doesn’t become complacent, falsely believing that PCI compliance eliminates the risk of breaches, but don’t expect this type of appeal to result in lots more project funding.

In conclusion, if you are interested in any of these topics or want to discuss these issues, please visit the or just send us an e-mail at

This story, "Is PCI Compliance a Ticket to the Boardroom?" was originally published by Network World.

Copyright © 2009 IDG Communications, Inc.

Security vs. innovation: IT's trickiest balancing act