Blogs

Zappos.com, a popular, online shoe retailer known for its customer service slogan, “delivering happiness,” was attacked by hackers last month, and over 24 million customer records were exposed. This was not a happy time for the company or their many customers. However, it seems no critical cardholder data was compromised.

Are PCI compliance efforts starting to pay off? For Zappos, the answer is yes. Assuming things don’t change, their financial exposure should be significantly less than the industry average of $204 per record. At that rate, the cost to Zappos could have been staggering. Zappos did many things right. But let’s face it, they have a single-channel, single-merchant system to secure. Even though they sell a massive number of shoes, their CDE “footprint” (Cardholder Data Environment) is small.

How about your campus? It probably has multiple payment channels in multiple merchant systems from multiple campus vendors, all of which you must monitor and safeguard. The fact is, most campuses have a larger CDE footprint than companies like Zappos, and that makes it more challenging to answer the question, “Is your campus PCI compliant?” Here's a good litmus test you can use to help answer that question. Go to your campus PCI “czar” and ask for a list of all of the pay points on campus. If you don’t know whom to ask, or cannot get an accurate list within 24 hours, then chances are your campus still has compliance issues to resolve.

None of us are immune from the possibility of a data security breach. At the same time, none of us want to become the poster child for “what not to do.” As we start 2012, Zappos is showing us that “delivering happiness” can also mean being PCI compliant.