I was speaking with the CISO at a large retailer yesterday about the PCI Best Practices study we’re doing for the National Retail Federation. One of his first questions was: “What do you mean by ‘best’ practices? Do you mean more security for less money, or more bullet-proof security?” After our lively discussion, I went back and looked at the over 200 hours of interviews in the PCI Knowledge Base. It seems clear that most retailers are adopting one of two distinctly different strategies when it comes to data security and compliance.  I’ve labeled them: Cost-Effective Compliance (CEC) and Compliance-Driven Security (CDS). Both approaches are based on best practices and solid risk management principles, but they lead to quite different spending patterns, technology decisions and business cultures. Key questions include: Is one “better” than the other? Where does your company fit? What should you do next?

Cost-Effective Compliance (CEC): Despite it’s name, in practice CEC is not about being “cheap” or not trying to do security “right.” It’s a very pragmatic strategy, where IT and the CISO do not assume they have a blank check, or use PCI or the threat of breaches to justify buying more technology. Where I have seen the strategy be most prominent is where the CIO has a background in business management and works closely with the CFO, and both have a similar view of the role of IT. I know many retailers where merely having to comply with a law or standard is not enough to get a project funded, or keep it funded. In these firms, project managers have to quantify the business value, threats and risk levels associated with each of the major PCI controls. The rationale is that for some “low risk” control areas, you should spend just enough to pass, while for other areas a higher risk level or greater business value can justify “above and beyond” spending levels. For SME retailers who can barely afford to spend anything on security a “package” of security products or services that address is the very essence of a CEC strategy.

Impact of CEC on Security Decisions: A CEC strategy can be turned into a series of “rules” to help retailers decide whether to implement a particular control. Essentially, making CEC work requires little more than a classic “rank-ordering” of security projects based on the level of protection and compliance offered for the money. For example, data purging gets a very high score on a CEC ranking, simply because it costs almost nothing and results in huge reductions in risk, liability and PCI scope, while increasing compliance. Outsourcing, on the other hand is really a shifting of risk from the IT department to Legal, Sourcing or Vendor Management. Considering the PCI DSS 1.2 is like to mandate physical visits to service providers, the cost-effectiveness of security or payment outsourcing is actually going to be reduced.

Impact of CEC on Vendor Decisions: While CEC is not about being cheap, we definitely see merchants who practice CEC buying more open source security tools. Not just any tools and not just because they are “free,” but because their analysis of the risk and compliance ROI can only justify, for a particular control, a specific level of spending. We’ve talked to a number of merchants and service providers who have difficulty determining the cost-effectiveness of specific brand-name software or services. The result is that if they cannot justify the incremental cost based on value delivered or proven functionality, then they will buy a less-expensive product. We expect that in 2009 and beyond, it will become harder to sell “compliance checklist” products or services, and that most decisions will be made on manageability and cost-effectiveness metrics.

Compliance-Driven Security (CDS): Dozens have retailers have told me that PCI helped them get the security tools they had been telling upper management they wanted for years. But this strategy goes way beyond buying new technology “toys.” In fact, the best uses we’ve seen of a CDS strategy are by organizations where a security architecture already exists. In these cases, CDS becomes a unifying force in filling in any “gaps” in the architecture, upgrading existing products, improving documentation and policy enforcement. Another value of a CDS strategy is that it can be used to help explain and manage “cross-compliance” issues, such as the application of PCI controls to protect social security or employee healthcare data.

Impact of CDS on Security Decisions:  Merchants employing a CDS strategy typically use a giant spreadsheet, where PCI, SOX, HIPAA, PIPEDA, and a bunch of other laws and regulations are on one axis and the specific controls they mandate are on the other axis, and the software and services which implement these controls fill in the matrix. The goal of this matrix is to identify which technologies, policies and procedures meet which controls. This tool is very handy in identifying redundancies. Creating these spreadsheets is difficult for most retailers, but they can be purchased from consultants if necessary. Just filling one in properly can be a useful exercise, and should be almost a necessity for any Level 2 or 3 merchant as part of filling out a PCI self-assessment questionnaire. 

Impact of CDS on Vendor Decisions: Once the merchant has filled out the “compliance matrix” or filled in a comparable web-based questionnaire, the search for “multi-compliant” software and services begins. The goal is to work with vendors who will help the merchant avoid compliance silos by being able to demonstrate and provide reporting tools for multiple standards, laws and regulations. Again, we are seeing compliance reporting and flexible configurations that can be changed as new versions of standards (e.g., PCI 1.2) or laws emerge being very important in selecting software and services for merchants employing a CDS strategy. This tends to drive the merchant away from open source and more “basic” solutions that typically offer less flexibility in favor of lower cost and a simpler management interface.

The bottom line on these two compliance / security strategies is that both will lead to compliance, and both have many “best” practices associated with them. The difference is that CEC will likely cost the merchant less in the near term and CDS offer greater flexibility at a somewhat higher cost to a merchant faced with a broader range of compliance requirements. While one could argue that there’s a “hybrid” strategy, in most cases the fundamental goals of the two strategies are in conflict, making such a middle ground approach impractical.

By the way, if you're a retailer, we want to get you involved in the best practices study we're doing for the National Retail Federation. If you'd like to participate, send me an E-mail at This e-mail address is being protected from spambots. You need JavaScript enabled to view it .