Interview with Randy Davidson, Sr. Retail Industry Analyst at Tectura. June 18, 2012. Click here for the part one of the podcast and here for part two.

WNR: Good afternoon, and welcome to What’s Next Retail. My name is Fred Diamond with What’s Next Retail. This is one of our podcasts where we get a little more in-depth with our thought leaders. Today I’m speaking with Randy Davidson with Tectura. Randy, how are you doing today?

Randy Davidson: Hi Fred. I’m doing very well today, thank you.

WNR: Very good. We’re going to be talking about the topic of compliance, and some of the compliance that retailers need to focus on to ensure they’re operating their business properly. Randy, why don’t you tell us a little about what you do with Tectura, and then we’ll get into the meat of the conversation.

Randy Davidson: Sure. Thanks, Fred. At Tectura I’m the retail solutions architect, and essentially what that means is that I work with both our sales and delivery teams, and with our clients, basically on helping understand what the requirements are, and translate those into how our solution meets those needs as well as helping customers with industry best practices, improving business processes, and being more efficient.

WNR: Very good. And you work with retailers all over the world, is that correct?

Randy Davidson: Absolutely, yes. Tectura’s a global solutions integrator, and we have offices in countries worldwide, as well as local presence across North America.

WNR: So you’re one of the experts on compliance. Let’s get down to the meat of this. Randy, what are some of the major issues that have caused concern for retailers as it relates to compliance?

Randy Davidson: One of the key issues that’s top of mind for retailers, and I have regular discussions is them, is with PCI compliance. Obviously PCI compliance, dealing with credit card security and fraud, and PCI’s been around for a long time, the PCI standards organization was formed in 2004, aligning the security policies of the five major credit card brands—Visa, MasterCard, American Express, JCB, and Discover–even though they’ve been around for a while, with the requirements, companies are still struggling with understanding PCI and ensuring that they are PCI compliant.

WNR: Now, you and I have spoken about this before, but how are MasterCard and Visa’s announcements recently that chip and PIN is going to be a reality by 2015 going to impact retailers?

Randy Davidson: The impact is really twofold. The first is based on the fact that it’s a new standard, that retailers, or not just retailers but anyone who accepts credit cards, they’ll need to implement. And it impacts card presence transactions, and for retailers particularly, it ultimately means that they’re going to have to touch every point of sale terminal in some capacity, as well as upgrades to software and infrastructure. With chip and PIN, you insert your credit card into a PIN pad device that the customer can then enter their PIN number, now as I said the one impact is just with implementing this based on the time and cost it’s going to take to implement and meet this requirement. And then the second issue is really what does it mean for chip and PIN? And implementing chip and PIN, or the chip and PIN standard, represents a liability shift. Ultimately what that means is that if there is a fraudulent transaction, and a credit card has not been processed using the chip and PIN requirement, then the retailer becomes liable for any of that fraud, where today the liability is with the bank based on the current standards. And with the US implementing the chip and PIN, it’s really going to bring them into a standard that’s been implemented in most countries around the world, whether it’s Europe, Australia, Brazil and most recently Canada implemented chip and PIN as of 2009.

WNR: That being said, what are some of the benefits of chip and PIN?

Randy Davidson: The key benefit is it’s designed to help reduce fraud at the moment of processing transactions. As I said, when you process a transaction, the customer has to insert their card into a PIN pad device, which reads encrypted data off of the chip that’s used as part of the authorization process, as well as having to enter a PIN number. So this makes it a lot more difficult for the credit card data to be captured and illegally cloned onto copies of credit cards.

WNR: Now, I want to make sure I’m clear. Will chip and PIN replace PCI compliance?

Randy Davidson: No, it doesn’t. That’s somewhat of a misconception that many people have, that—chip and PIN is adding an additional level of security at the moment in time a card present transaction is processed. But it doesn’t change the PCI requirement, and although they’re coupled together in some capacity, but the PCI compliance deals with the storage of credit card data or how it’s handled from an infrastructure security perspective, but the chip and PIN technology adds just that additional level of security at the time of processing.

WNR: Is your company, Tectura, involved with that at all? Are you working with retailers to prepare for the movement toward chip and PIN?

Randy Davidson: Not as of yet, it’s still fairly new, because the announcement was just made in the fall of last year. But we have worked with customers in Canada as they’ve implemented chip and PIN as far as their stores that they have in Canada.

WNR: So, just curious, how has the acceptance been for the stores you’re referring to up in Canada with the implementation of chip and PIN?

Randy Davidson: It’s been difficult, obviously because it is a new standard. One of the things that has happened, and I think the U.S. can look at this as lesson learned, is that in Canada the requirement was there in 2009, and we’re in 2012 now, three years later, and there are still a number of retailers who haven’t implemented chip and PIN. And a lot of that is due to the fact that it’s a project, we’ve got to get it in place, it may have been pushed off, or scheduling time because there’s certification that’s required with the banks, and as a result, the process of implementing has taken a lot longer than what was initially thought.

WNR: With that being said, should retailers in the US, for example, should they have a strategy in place, or is this something they can wait until 2013, 2014 to think about?

Randy Davidson: No, they can’t actually, and it’s something that we’re having discussions with, you know, as I talk to customers and we look at where they’re going, what payment processing or upgrading their systems, it’s something that we’re having that discussion now, because ultimately, as the dates get closer and closer, you want to be as prepared as possible in advance and at least have a strategy so that, as I say, when the time comes, then you’re ready for it as opposed to scrambling at the last minute.

WNR: Who do you typically deal with, just curiously, as the retailer as it relates to this?

Randy Davidson: In most cases we’re dealing with the IT dept. or store operations. At the CFO level, obviously, they’re involved as well, more so from the directive, but from the actual implementation or business requirements, typically we’re speaking to store operations and IT.

WNR: Very good. Well, let’s get back to PCI compliance for a few seconds here, and what do you think are two or three things you think retailers really need to know about PCI compliance right now?

Randy Davidson: There’s still actually a lot of misconception about PCI compliance. I actually talked about that in one of my recent What’s Next Retail blog entries. A lot of retailers still believe that PCI compliance just relates to the POS software itself. But the requirements actually go farther than that, because beyond the software, or the database structure, there’s policies or processes that need to be put in place. There need to be regular audits. They need to make sure anti-virus software is up to date, as well as managing password security policies that need to change on a regular basis. And the other thing they need to know is what’s next. Because technology is changing, there’s new business requirements that are coming out, particularly now mobile being a very significant requirement for retail, retailers need to understand what’s next and what are the implications for PCI compliance as they implement new technologies or new business requirements. And it’s just a matter of keeping informed of what’s changed so that they can build that into their day-to-day operations.

WNR: Well, once again, my name is Fred Diamond with whatsnextretail.com. I’m here with Randy Davidson of Tectura. Whatsnextretail.com is a website featuring thought leaders in the Microsoft Dynamics retail community. Randy Davidson’s one of the experts on compliance, PCI compliance and security as it relates to retailers. He’s also an expert on many other topics as it relates to mobility, self service and social media. Today we’re talking about compliance. Randy, you touched on what’s next, and how retailers need to know what’s next, and we talked about chip and PIN, obviously, but what might be one or two other things coming down the pike that retailers do need to be aware of?

Randy Davidson: You know, just as it relates to the PCI compliance, and we’ve talked a little bit about mobility being a requirement, and as retailers look at how they’re going to implement mobility, whether it’s in the stores, maybe how those wireless networks are used, and security around them, or if we look at mobile devices that are used in the store floors or kiosks where customers can make purchases in the store for maybe products that aren’t in stock, retailers need to consider what the impact of these things are as it relates to the PCI security, and also where it relates to moving forward in the future with chip and PIN.

WNR: Randy, you submitted a nice blog entry last month on how some retailers think that by putting some of their IT in the cloud they are kind of getting around some of the PCI compliance requirements. And you talked about the fact that that’s really a myth, that’s not getting them out of the responsibilities, if you will. Can you talk for a few minutes here about how the cloud plays in PCI compliance?

Randy Davidson: The cloud, or as I get asked when talking to retailers, you know, they’ll say, well, we want our credit application hosted someplace else, we don’t want it stored on our servers, thinking that maybe it helps reduce the risk or the requirement for PCI because that application is hosted somewhere else. Ultimately that’s a myth, because from a PCI security perspective, even though you may have that application hosted offsite someplace, it’s still accessible from your network. And ultimately the PCI compliance comes into play from the moment you accept or swipe that credit card at the POS terminal. Even though you may have those applications hosted in the cloud or stored off-site, whatever the case is, those facilities or those locations will become part of your PCI compliance requirement, because they are accessible from your network. Where there are other opportunities that are available is that the payment processes are offering different methods of authorization and settlement that really takes part of the PCI or the storage of information elsewhere for your settlement file. And as a result of that, then it helps reduce the risk, because then the bank is maintaining some of that information, as opposed to maybe having it stored locally within your own network.

WNR: Well, I’m Fred Diamond with What’s Next Retail, we’re here with Randy Davidson of Tectura. Randy, we’ve talked during this podcast about what retailers should be doing to ensure that they are complying with PCI requirements. Why don’t you just kind of bring it home and talk about some of the risks of not being compliant. What’s going to happen to the retailers where there’s some cracks in the armor, if you will, and they’re not being compliant?

Randy Davidson: The ultimate risk is really being exposed to the loss of data. And when that happens, then things just become more excessive. A couple significant examples, when you look back in 2007, TJX had a breach of over 46 million cardholder records. Hartland Payments, 2009, had a breach in their system that resulted in a loss of upwards of 100 million cardholder records, and those are significant examples of where there’s been a breach of data. But as you get down to small and mid-size retailers as well, the risk of not being in compliance, and obviously the loss of data, but if you’re found not to be in compliance either by the payment process or the bank, it can results in fines that can be levied on a monthly basis, that can be significant, or ultimately result in Visa or MasterCard or whichever card you’re processing, having that agreement revoked and not being able to accept those cards.

WNR: Well, Randy, you’ve given us a lot of things to think about here. Great update on chip and PIN, great update on PCI compliance, what retailers need to think. Why don’t you tell us a little about Tectura, and what are some of the services you provide to retailers in this space?

Randy Davidson: Absolutely. Tectura is a global integrator of Microsoft Dynamics products. We’ve got offices across the globe and we basically work with retailers on implementing the dynamic solutions in retail, whether it’s ERP, point of sale, store operations, and basically work with them through requirements, implementation, post go-live, as well as ongoing support and business process improvements.

WNR: Randy, thank you very much again. My name is Fred Diamond, whatsnextretail.com, a web site featuring thought leadership, best practices, operational excellence for retailers, featuring some of the leading thinkers and leading practitioners in the Microsoft Dynamics space as it relates to providing services for retailers. Of course the big product they’re bringing into the market is Microsoft Dynamics AX 2012 for retailers. Randy, thanks for being with us today, you gave us a lot of great ideas. Again, you can find Randy Davidson’s blog entries on whatsnextretail.com. He’s an expert not just on compliance and security but a whole slew of topics that relate to retailers including social media, mobility, self-services as well. Again, thank you for your time. I look forward to seeing you on whatsnextretail.com.

Interview with Randy Davidson, Sr. Retail Industry Analyst at Tectura. June 18, 2012. Click here for the actual podcast.