Safeguarding data; Given the number of recent high looking beyond PCI compliance.
One of the most recent breaches in the grocery industry was in March, when it was discovered that credit card data was compromised at Hannaford Bros. According to reports, the Hannaford compromise is among the first large-scale intrusion involving the interception of card data while it's in transit between systems and the first to happen to a PCI DSS-compliant retailer. PCI DSS stands for Payment Card Industry Data Security Standard. It was developed by the major credit card companies as a guideline to help retailers prevent credit card fraud and improve data security measures.
Hannaford has responded by announcing millions of dollars in security upgrades, including encryption and monitoring software on store servers. IBM, General Dynamics, Cisco Systems and Microsoft. At a press conference following the breach, Hannaford's CEO Ron Hodge, said the retailer will use "military-and industrial-strength security going forward."
The incident left some in the industry wondering how it happened and created doubt as to whether the initiative put forward by the PCI Security Standards Council created to thwart such occurrences, was the total solution most assumed it was created to be. Others were concerned that Hannford news would further slow the rate of PCI DSS certification, a requirement for any company accepting card transactions for payment. Their reports show that currently the majority of level one, two and three companies--large and medium-size merchants that represent the bulk of credit card transactions-have completed the certification process or are about to.
"All of the steps that are in the compliance standard are things retailers should have already been doing but perhaps were not," says Bob Russo, general manager of the PCI Security Standards Council, based in Wakefield, Mass. He says the council is reaching out to smaller retailers to raise awareness. "You can imagine the challenge in getting so many different types of retailers compliant. A merchant who only takes orders by telephone doesn't store any data and because everything is outsourced has different security issues compared to [other retailers]."
For retailers concerned about the cost of PCI compliance, Russo notes that should a breach happen retailers could incur a significant amount of damage to their reputation and to their bottom line. "A data breach is one of the easiest ways for a retailer to loose customers." he notes.
Some experts believe that while not perfect, PCI is improving retail security and is a good starting point, but it should not be considered a total solution for data security. If anything, they hope this encourages retailers to revisit basic security measures such as maintaining proper encryption and following standard procedures. That said, there is a concern that PCI offers retailers a false sense of security and fosters a belief that becoming PCI compliant is a guarantee a company will stay compliant.
Russo, along with officials at Visa, want retailers to understand that remaining compliant is an ongoing process and that data security requires retailers to be on top of things all the time. "Achieving annual PCI
compliance validation is important to ensuring security and is truly valuable when all parties involved diligently and appropriately scope the assessment work, most importantly the retailer, who has the best knowledge of the network and systems to be assessed," says Michael Smith, head of payment system risk for Visa Inc.
Smith also believes it is important to note that a PCI assessment represents validation of minimum requirements at a point in time. "It's critical for grocery stores and other retailers to maintain a disciplined security program to ensure compliance year round. A company can be compliant one day, but can fall out of compliance the next if it doesn't diligently patch newly identified security deficiencies in applications, for example." He points out that criminals have become adept at exploiting holes in payment systems and it is the responsibility of each participant in the payment chain to do their part in defeating such attacks. "By making continuous PCI compliance a business priority, grocery store owners can help minimize the possibility of compromising their customers' payment card information," he says.
ASSESSING THE ASSESSORS
Like any initiative implemented on such a wide scale, there are bound to be issues and challenges achieving compliance. One such concern, sources point out, can be with assessors, people who in many cases work for the security companies. Some feel this represents a conflict of interest. Additionally, retailers have reported that some assessors are simply using the 12 step PCI initiative as a checklist and are not taking the companies overall security situation into consideration. This has led some to question just how qualified some assessors are and the validity of the process.
In response to criticisms about assessors, Ben Rothke, a PCI qualified security assessor, says at a high level while some of the issues concerning assessors are legitimate it is not a wide-scale problem. "In some cases the people who are doing the assessment are in a position to make product recommendations needed to achieve PCI compliance and some times those recommendations are for their own companies' products," says Rothke, who is a senior security consultant with BT Global Services, a global consulting firm with offices in New York.
He believes that while ethically the assessor should point out any potential conflict of interest up front, in the end it is the retailer who should be performing due diligence on any company they choose to work with, PCI or otherwise, to ensure their credentials and experience. "My suggestion is to treat this process like they would any other technology project of this magnitude and document everything so that there no are surprises in the end on either side. Given the amount of money and time involved, this is the only sensible thing to do," says Rothke.
Terri Quinn-Andry, a PCI product/systems manager at Cisco, the San Jose, Calif.-based networking systems provider, says there is a potential for a conflict of interest. "This is partially why our main role is performing readiness assessments to help retailers understand how close they are to achieving PCI compliance and helping them to identify where the gaps are, if any. In most cases we bring in a partner company during the remediation process."
According to Russo, there are safeguards in place to address any conflicts of interest. "There are clauses in place that hopefully prevent the 140 assessment companies that have been vetted and trained by us from solely offering and recommending their own products," he says.
The bottom line, he says, is that the buyer, or in this case the retailer, is in charge of the whole process and is responsible for making good business decisions. "You wouldn't go buy a car from the first guy who says his car is the best, why would you do that in your business? It just makes sense that you want to look for someone that specializes in your particular fiels." That said, Russo says the council is instituting a QA program to ensure everyone is on the same level playing field.
SQUEEZING TIGHT BUDGETS
Budget constraints are affecting all retailers in regards to PCI compliance, and is especially challenging to those with small staffs and IT budgets. Experts agree that the size and scope of the company, the number of remote locations and data centers it has and how current their present technology is, are all factors that influence the expense. "The cost of becoming PCI compliant for any one company is a reflection of the company's commitment to security up until that point," says Rothke. "Granted, larger companies typically incurmore expense given their size but as a general rule of thumb those who had not. Given that the nature of remaining PCI complaint means on-going work, the cost and manpower factor can potentially be high."
In spite of these challenges, Michael Petitti, chief marketing officer for Trustwave, believes that given the short time the standard has existed, remarkable progress has been made toward PCI DSS compliance validation. "Companies have realized that not only is PCI DSS compliance validation required of their organization, it's also a good business practice. Being PCI DSS compliant helps secure cardholder data and reduces the ristk of a data security breach, which offers a measure of brand protection," he notes.
"Due to dedicated resources and deadlines large organizations such as big-name retailers and grocery chains, have made tremendous strides in achieving PCI DSS compliance validation and maintaining that posture on a continual basis," says Petitti. While larger companies may make headlines in the event of a breach, he notes that smaller companies are more at ristk, in part becaue they are dependent on third parties for point-of-sale software that helps them accept payment card transactions. "As a result, many small businesses, such as a mom-and-pop grocer, for example, implement POS software that stores consumer cardholder data, making them a target of hackers. For a smaller business, security gets lost in the cracks becaue the owner is busy running the business and the third party integrator of their POS technology is not a security expert and has already moved on to their next client."
Petitti says there is a need to address the challenges of managing data security at multiple stores from a central location. "When it comes to grocers, while compliance validation effort is managed from a head quarters location and includes that central office or headquarters in the PCI DSS scope, it is incumbent on large organizations to make sure that they have implemented the same security controls at the store level. Examples of such technology include event log management and unified threat management technology (UTM), which includes firewall, anti-virus and other critical security services delivered from a single appliance in a store environment. In addition, ensuring the proper installation of a validated payment application in all locations is vital to securing credit card data," he says.
Petitti believes it is important that retailers of all sizes, particularly grocers, monitor their security status on a more regular basis to help maintain compliance. "PCI DSS requires quarterly scanning, but as a security provider, we recommend scanning on a more frequent basis such as monthly," he notes Petittil. "More frequent scanning will help keep track of vulnerabilities as they become known and before they can be exploited."
Hannaford recently announced several security upgrades, including using Triple DES PIN encryption. Customer card information is now encrypted from the PIN and at the store register and remains encrypted in the grocer's internal network. The company is also adding host and network systems to prevent malware from being installed and is working with IBM to monitor system intrusions.
Quinn-Andry agrees that during the past 12 months, retailers have taken the initiative much more seriously and have turned the corner in terms of their understanding and accepting of what PCI is trying to accomplish. "Retailers have gone from viewing it as a pain in the neck and something they are being forced to do to understanding why it is important, how it will protect their customers and how it can make their new business objectives more attainable. It's really about security best practices."
One grocer Quinn-Andry worked with has 17 stores, but is very close to level one merchant status because the majority of its customers use credit cards. "This grocer took the compliance process seriously, but struggled with the fact that they only have three people in their entire IT department. Their challenge is how to achieve compliance given the amount of legacy systems they are still using. They needed to determine how they could achieve compliance as cost effectively as possible. Sometimes we can keep costs down by piggybacking on to existing technology and other times their technology is so old it needs to be replaced."
RELATED ARTICLE: SAFETY CHECKLIST
Any organization involved in the processing, storage or transmission of cardholder data is at risk for payment card compromise and often times those who least expect it face the most risk. While complying with PCI is one of the best defenses against breaches, Trustwave has a list of additional safeguards for grocers:
1. Ensure that the payment application does not store prohibited cardholder data such as track data or card security codes. Payment applications should be validated ad compliant with PABP or PA-DSS. Web-based applications should undergo a strict third party code review and application penetration test annually.
2. Segment the payment card acceptance environment from public networks such as the Internet. Implement firewalls where necessary and be sure any firewall is properly configured to only allow inbound and outbound traffic that is necessary to conducting day to day business.
3. Check that third-party providers understand and operate in compliance with PCI. Require that third-party providers sign an agreement requiring them to perform their functions in accordance with PCI.
4. Properly secure remote applications and verify that two-factor authentication is enabled.