Innovative Retail Technologies

SEP-OCT 2016

Innovative Retail Technologies (formerly Integrated Solutions For Retailers) is the premier source for innovative yet pragmatic technology solutions in the retail industry.

Issue link:

Contents of this Issue


Page 19 of 39

• CIOs, who arguably bear the ultimate responsibility for payment data security, paint a much rosier picture. A full 94 percent of them say their roles deal with payment security, and 83 percent say their software is PCI compliant . That there's a nearly 20 point swing separating the typical LP/AP director's understanding of PCI preparedness from that of the CIO is disconcerting at best. At the highest level, there's clearly confusion and a lack of communication around what it means to be PCI compliant. And, the surprisingly high numbers of retail executives who assume their organizations are PCI compliant flies in the face of the reality uncovered in last year's Verizon PCI Compliance Report. Findings from that study underscore that payment security is not a "set it and forget it" exercise. Nearly 80 percent of all businesses fail their interim PCI compliance assessments, leaving them vulnerable to cyber attacks, according to the study. In fact, it found that just 29 percent of companies are still fully PCI DSS compliant less than a year after being validated. This lack of corporate understanding of payment security initiatives becomes even clearer when we drill down into some specific questions about the steps retailers are taking to achieve payment security. For example, nearly 80 percent of CIOs say their payment software employs point-to- point encryption. Just 50 percent of LP/AP directors and 53 percent of CEOs said the same. A full 35 percent of CEOs admitted that they have no idea. There's equal disparity in understanding tokenization among these executives. Among LP/AP directors, 42 percent say their payment software employs tokenization. Only 28 percent of CIOs agree, and 56 percent of them offer up a decided "no" when asked if their payment software employs tokenization. Well more than half of CEOs admit to having no idea whether payment data is tokenized in their organizations. After posing these tech strategy-specific payment security questions to our audience, we asked them again to gauge their confidence in the security of their physical and digital payments infrastructures. Those questions elicited interesting responses, as we saw confidence erode from the first series of questions inquiring about PCI compliance: Clearly, the perceived security of the payments landscape is taken dangerously for granted at the head office. We often cite the need for ongoing payment security education at the store associate level. The findings from our survey indicate that education — and more collaboration — is necessary at the corporate level as well. Confusion On EMV Compliance, CNP Fraud Mitigation That the payments landscape of late has seen rapid change is a gross understatement. Even as merchants continue to struggle to maintain PCI compliance, the EMV initiative that's steamrolled its way through the U.S. has consumed massive time and resources from time and resource-strapped retailers. Unsurprisingly, 39 percent of our survey respondents agreed with the statement "I hate dealing with payment security," a response most likely fueled by the 36 percent who agreed, "There are still a lot of questions and confusion around EMV." In its early days, there's no surprise that retail execs are as disillusioned — and misinformed — by their progress on EMV as they are on their compliance with PCI standards. Asked how many of their devices/ terminals are EMV-compliant, 41 percent of CEOs said none of them, while 35 percent said all of them. A third of CIOs said none, compared to 22 percent who said all. Twenty- nine percent of LP/AP directors said none; 36 percent said they're all compliant. When 35 or 36 percent of retail CEOs and LP/AP directors say all of their payment terminals are EMV compliant — but just 22 percent of retail CIOs say the same — there's clear misinformation happening. The necessity for these titles to get on the same page will only be exacerbated as EMV takes hold and card payment fraud moves online to CNP (card-not-present) transactions. Nearly 30 percent of retail CIOs and LP/AP directors say they've suffered CNP loss in 17 Security 2016 0 2 4 6 8 10 CEO 5.6 CIO 5.7 LP/AP 5.7 On a scale of 1 to 10, how confident are you that your DIGITAL payments infrastructure is secure? 0 2 4 6 8 10 CEO 5.9 CIO 6 LP/AP 5.7 On a scale of 1 to 10, how confident are you that your PHYSICAL payments infrastructure is secure?

Articles in this issue

Archives of this issue

view archives of Innovative Retail Technologies - SEP-OCT 2016