OK -

This must have been the article that Ms. Amato-McCoy had written to spark the little editorial that I also just posted about.

The article is about Staples and their Information Security Officer - Christopher Dunning.  It is nice to see that Mr. Dunning seems to have the ‘right’ attitude about security (so says me) and isn’t just looking at the endevour as something that needs to be checked off.

PCI is a budget-exercise.  It’s the ‘fundable’ buzzword that finance requires to attach money to security and to give intelligent, business-focused executives in IT and Security the resourcest that they need to keep the brand safe and build customer loyalty.  I wish this wasn’t the case - I wish more retail CFOs understood the business case for good security, not just for PCI compliance.

Sadly not all good business decisions can be backed up by a straightforward ROI - some decisions are based on cost/liability/risk avoidance and these decisions are estimates of what might happen if….  Financial executives often have a hard time with these types of analyses (unless they work in the insurance industry) and IT often has a hard time translating these needs into something meaningful and tangible for finance to feel comfortable funding.

And so we are left with PCI as the driver - the ‘I need the money because we’re being forced to make these changes against our will by the big, bad card brands’ argument.  I guess that works to a degree, but it ends up giving the financial executives a false sense of security and a potentially false set of expectations.

Chain Store Age.