23 February 2007

The Board Room: IT Strategy Focus...

A new survey or 400 directors published in the March/April issue of Corporate Board Member Magazine by Deloitte Consulting has some interesting insights. In regard to the use of Information Technology as important or very important to insure success in various areas of the business:

  • 69% say implementing the right IT strategy is "very important" in compliance.
  • 66% in learning about and retaining customers.
  • 57% in managing risk.
  • 50% in competitive positioning.

So how come only 14% say they are "completely and actively involved" in IT strategy?
Boards of Director's are in the dark and this won't be changing very dramatically unless you are the result of a significant incident such as T.J. Maxx:

According to The Boston Globe today, TJX Companies has stated that a data breach it revealed last month may have occurred a year earlier than investigators initially thought. The company operates the retail outlets T.J. Maxx, Marshalls and HomeGoods (2,500 stores in the United States), so the earlier date of the hacking may mean millions more customers were exposed. The company declined to give numbers, however.

TJX discovered the breach in December 2006, and it made news on Jan. 18, 2007. At that time the company reported that hackers may have made off with credit and debit information from transactions in the United States, Canada and Puerto Rico from some months in 2003 as well as transactions between May and December 2006.

Yesterday, according to the Globe, TJX said a systems review revealed that intrusions had occurred as early as July 2005, not May 2006.

This trickle of data breaches spread over time led some experts to judge the corporation’s computer systems outdated, weak and not up to card-company security standards.

Information Technology strategy and the amount of effort or time a Board of Directors spends on it is most likely determined by the CEO. If they trust the Chief Information Officer and what they are doing, then they leave it alone. This is becoming an area under greater scrutiny by Directors as these kinds of incidents occur on a more regular basis in the news. However, just because it's not in the news, doesn't mean that it's not happening today at your institution.

There is another war brewing between the banks, retailers and the credit card issuers about who is the guilty one. At the end of the day, consumers will lose. Even pressure by VISA and others to make sure merchants are in compliance with the laws around encrypting data and the storage of the data may not be enough. The retailers have already started their lobbying efforts:

As information security has become a major focus of consumers, governments and businesses alike, the care with which companies protect credit card data has become increasingly important. In many instances, the Achilles heel of data security is a lack of application controls.

Encryption alone is not the answer. With most of the encryption techniques, the same key is used to lock and unlock the data. The problem is: How do you secure these keys in the POS application? Once these keys are compromised, the "secured" data is no longer secure.

The best way to secure data is to not store data. A technology knows as “tokenization” offers a greater level of security by substituting a unique identifier (a token) for a card number, so the card data is never in the system. This token is a random unique value and has no way to be deciphered to gain knowledge of the associated card information. With tokenization, the merchant swipes the card data and sends the information through a gateway to a processor and receives back an approval. But instead of sending the card data itself back to the merchant and the POS system, it is converted to a token: a globally unique, randomized representation of credit card data that is 16 characters long. Only the token is stored in the system.

The token spans the lifetime of the transaction so it provides full support for tips, tabs and incremental authorizations. The merchant does not need the card number or data past the initial request, so storing this information is unnecessary. The entire liability to protect the card data is now on the gateway, where it should be. The primary objective of tokenization is to enable businesses to operate normally while not storing the sensitive data that is the target of data thieves. This technology also eases the burden of compliance for merchants. If no data is stored on site, the merchant has a significantly reduced PCI compliance burden.

The Board of Directors who discuss IT strategy on a regular basis perform better financially and those who don't may be paying the price.

No comments:

Post a Comment