PCI expert suggests retailers address both security and business availability
The holiday shopping season is again putting the spotlight on PCI compliance, including the measures retailers must take to ensure the confidentiality of consumer data. However, IT management expert James DeLuccia IV reminds retailers that comprehensive risk management also extends beyond security to operational resiliency and business continuity aspects.
It’s an increasingly complicated landscape, with retailers not only having to worry about PCI compliance to ensure consumer data protection, but also IT issues that relate directly to business uptime. These issues include system availability, transaction response times, data recovery and failover mechanisms. With the holiday season accounting for approximately 20 percent of annual sales for retailers – both in stores and online – it is imperative that operations not only run, but run efficiently or else risk losing sales.
PCI compliance is a cumbersome yet vital undertaking for retailers, due to continually evolving business objectives and technology environments. For example, the proliferation of wireless networks (cell phone and hotspots) creates an increasing risk for security breaches that were not widely present just a few years ago. Regardless, retail enterprises have to allot a larger share of IT man hours to manage PCI compliance and security tasks.
DeLuccia contends that risk mitigation strategies require input and buy-in from senior management and decision-makers across the enterprise. It also demands the careful alignment of IT infrastructure changes with a company’s core business objectives.
The best risk management initiatives don’t simply protect data, they help the company to run more effectively. This is the case when equal consideration is given to areas like system continuity and service delivery that support operational measures. It’s the blending of business necessity with core methods for data security that ensures overall risk management.
DeLuccia is a recognized expert on PCI compliance and IT risk management. He is a published author and host of a number of industry blogs on PCI and other topics. His new book, “IT Compliance and Controls: Best Practices for Implementation,” will be released in March 2008.