Safeguarding data; Given the number of recent high looking beyond PCI compliance.
AS SOME OF THE RECENT HIGH-PROFILE DATA BREACHES HAVE PROVEN, the overwhelming majority of incidents occur at brick and mortar See bricks and mortar. retailers--not on the Internet. According to according to
1. As stated or indicated by; on the authority of: according to historians.
2. In keeping with: according to instructions.
3. a March 2008 white paper published by Trustwave, a Chicago-based provider of data security systems, 70% of breaches occur at physical stores. The research also found that larger companies are often targets. They may represent greater transaction volume, but Trustwave found smaller merchants are actually targeted more often.
One of the most recent breaches in the grocery industry was in March, when it was discovered that credit card data was compromised at Hannaford Bros BROS Brothers
BROS Benefits and Retirement Operations Section (King County, Washington)
BROS Barnes and Richmond Operatic Society (London, UK) . According to reports, the Hannaford compromise is among the first large-scale intrusion involving the interception of card data while it's in transit between systems and the first to happen to a PCI (1) (Payment Card Industry) See PCI DSS.
(2) (Peripheral Component Interconnect) The most widely used I/O bus (peripheral bus). DSS-compliant retailer. PCI DSS (Payment Card Industry Data Security Standard) Security procedures from the PCI Security Standards Council for merchants that accept credit cards online. stands for Payment Card Industry Data Security Standard. It was developed by the major credit card companies as a guideline to help retailers prevent credit card fraud Credit card fraud is a wide-ranging term for theft and fraud committed using a credit card or any similar payment mechanism as a fraudulent source of funds in a transaction. The purpose may be to obtain goods without paying, or to obtain unauthorized funds from an account. and improve data security measures Noun 1. security measures - measures taken as a precaution against theft or espionage or sabotage etc.; "military security has been stepped up since the recent uprising"
Hannaford has responded by announcing millions of dollars in security upgrades, including encryption and monitoring software on store servers. IBM (International Business Machines Corporation, Armonk, NY, www.ibm.com) The world's largest computer company. IBM's product lines include the S/390 mainframes (zSeries), AS/400 midrange business systems (iSeries), RS/6000 workstations and servers (pSeries), Intel-based servers (xSeries) , General Dynamics General Dynamics Corporation (NYSE: GD) is a defense conglomerate formed by mergers and divestitures, and as of 2006 it is the sixth largest defense contractor in the world. The company has changed markedly in the post-Cold War era of defense consolidation. , Cisco Systems “Cisco” redirects here. For other uses, see Cisco (disambiguation).
Cisco System,Inc. (NASDAQ: CSCO, HKSE: 4333 ) is an American multinational corporation with 54,000 employees and annual revenue of US $28.48 billion as of 2006. and Microsoft. At a press conference following the breach, Hannaford's CEO (1) (Chief Executive Officer) The highest individual in command of an organization. Typically the president of the company, the CEO reports to the Chairman of the Board. Ron Hodge, said the retailer will use "military-and industrial-strength security going forward."
The incident left some in the industry wondering how it happened and created doubt as to whether the initiative put forward by the PCI Security Standards Council created to thwart such occurrences, was the total solution most assumed it was created to be. Others were concerned that Hannford news would further slow the rate of PCI DSS certification, a requirement for any company accepting card transactions for payment. Their reports show that currently the majority of level one, two and three companies--large and medium-size merchants that represent the bulk of credit card transactions-have completed the certification process or are about to.
"All of the steps that are in the compliance standard are things retailers should have already been doing but perhaps were not," says Bob Russo, general manager of the PCI Security Standards Council, based in Wakefield, Mass. He says the council is reaching out to smaller retailers to raise awareness. "You can imagine the challenge in getting so many different types of retailers compliant. A merchant who only takes orders by telephone doesn't store any data and because everything is outsourced has different security issues compared to [other retailers]."
For retailers concerned about the cost of PCI compliance, Russo notes that should a breach happen retailers could incur a significant amount of damage to their reputation and to their bottom line. "A data breach is one of the easiest ways for a retailer to loose customers." he notes.
Some experts believe that while not perfect, PCI is improving retail security and is a good starting point Noun 1. starting point - earliest limiting point
terminus a quo
commencement, get-go, offset, outset, showtime, starting time, beginning, start, kickoff, first - the time at which something is supposed to begin; "they got an early start"; "she knew from the , but it should not be considered a total solution for data security. If anything, they hope this encourages retailers to revisit re·vis·it
tr.v. re·vis·it·ed, re·vis·it·ing, re·vis·its
To visit again.
A second or repeated visit.
re basic security measures such as maintaining proper encryption and following standard procedures. That said, there is a concern that PCI offers retailers a false sense of security and fosters a belief that becoming PCI compliant is a guarantee a company will stay compliant.
Russo, along with officials at Visa, want retailers to understand that remaining compliant is an ongoing process and that data security requires retailers to be on top of things all the time. "Achieving annual PCI
compliance validation is important to ensuring security and is truly valuable when all parties involved diligently and appropriately scope the assessment work, most importantly Adv. 1. most importantly - above and beyond all other consideration; "above all, you must be independent"
above all, most especially the retailer, who has the best knowledge of the network and systems to be assessed," says Michael Smith Michael or Mike Smith may refer to: Journalists
Smith also believes it is important to note that a PCI assessment represents validation of minimum requirements at a point in time. "It's critical for grocery stores and other retailers to maintain a disciplined security program to ensure compliance year round. A company can be compliant one day, but can fall out of compliance the next if it doesn't diligently patch newly identified security deficiencies in applications, for example." He points out that criminals have become adept at exploiting holes in payment systems and it is the responsibility of each participant in the payment chain to do their part in defeating such attacks. "By making continuous PCI compliance a business priority, grocery store owners can help minimize the possibility of compromising their customers' payment card information," he says.
ASSESSING THE ASSESSORS
Like any initiative implemented on such a wide scale, there are bound to be issues and challenges achieving compliance. One such concern, sources point out, can be with assessors, people who in many cases work for the security companies. Some feel this represents a conflict of interest. Additionally, retailers have reported that some assessors are simply using the 12 step PCI initiative as a checklist and are not taking the companies overall security situation into consideration. This has led some to question just how qualified some assessors are and the validity of the process.
In response to criticisms about assessors, Ben Rothke, a PCI qualified security assessor, says at a high level while some of the issues concerning assessors are legitimate it is not a wide-scale problem. "In some cases the people who are doing the assessment are in a position to make product recommendations needed to achieve PCI compliance and some times those recommendations are for their own companies' products," says Rothke, who is a senior security consultant with BT Global Services, a global consulting firm Noun 1. consulting firm - a firm of experts providing professional advice to an organization for a fee
business firm, firm, house - the members of a business organization that owns or operates one or more establishments; "he worked for a with offices in New York New York, state, United States
New York, Middle Atlantic state of the United States. It is bordered by Vermont, Massachusetts, Connecticut, and the Atlantic Ocean (E), New Jersey and Pennsylvania (S), Lakes Erie and Ontario and the Canadian province of .
He believes that while ethically the assessor should point out any potential conflict of interest up front, in the end it is the retailer who should be performing due diligence Research; analysis; your homework. This term has caught on in all industries, because it sounds so "wired." Who would want to do analysis or research when they can do due diligence. See wired. on any company they choose to work with, PCI or otherwise, to ensure their credentials and experience. "My suggestion is to treat this process like they would any other technology project of this magnitude and document everything so that there no are surprises in the end on either side. Given the amount of money and time involved, this is the only sensible thing to do," says Rothke.
Terri Quinn-Andry, a PCI product/systems manager at Cisco, the San Jose San Jose, city, United States
San Jose (sănəzā`, săn hōzā`), city (1990 pop. 782,248), seat of Santa Clara co., W central Calif.; founded 1777, inc. 1850. , Calif.-based networking systems provider, says there is a potential for a conflict of interest. "This is partially why our main role is performing readiness assessments to help retailers understand how close they are to achieving PCI compliance and helping them to identify where the gaps are, if any. In most cases we bring in a partner company during the remediation process."
According to Russo, there are safeguards in place to address any conflicts of interest. "There are clauses in place that hopefully prevent the 140 assessment companies that have been vetted and trained by us from solely offering and recommending their own products," he says.
The bottom line, he says, is that the buyer, or in this case the retailer, is in charge of the whole process and is responsible for making good business decisions. "You wouldn't go buy a car from the first guy who says his car is the best, why would you do that in your business? It just makes sense that you want to look for someone that specializes in your particular fiels." That said, Russo says the council is instituting a QA program to ensure everyone is on the same level playing field See net neutrality. .
SQUEEZING TIGHT BUDGETS
Budget constraints A Budget Constraint represents the combinations of goods and services that a consumer can purchase given current prices and his income. Consumer theory uses the concepts of a budget constraint and a preference ordering to analyze consumer choices. are affecting all retailers in regards to PCI compliance, and is especially challenging to those with small staffs and IT budgets. Experts agree that the size and scope of the company, the number of remote locations and data centers it has and how current their present technology is, are all factors that influence the expense. "The cost of becoming PCI compliant for any one company is a reflection of the company's commitment to security up until that point," says Rothke. "Granted, larger companies typically incurmore expense given their size but as a general rule of thumb those who had not. Given that the nature of remaining PCI complaint means on-going work, the cost and manpower factor can potentially be high."
In spite of these challenges, Michael Petitti, chief marketing officer for Trustwave, believes that given the short time the standard has existed, remarkable progress has been made toward PCI DSS compliance validation. "Companies have realized that not only is PCI DSS compliance validation required of their organization, it's also a good business practice. Being PCI DSS compliant helps secure cardholder card·hold·er
One who holds a card, especially a credit card.
cardhold data and reduces the ristk of a data security breach, which offers a measure of brand protection," he notes.
"Due to dedicated resources and deadlines large organizations such as big-name retailers and grocery chains, have made tremendous strides in achieving PCI DSS compliance validation and maintaining that posture on a continual basis," says Petitti. While larger companies may make headlines in the event of a breach, he notes that smaller companies are more at ristk, in part becaue they are dependent on third parties for point-of-sale software that helps them accept payment card transactions. "As a result, many small businesses, such as a mom-and-pop grocer, for example, implement POS (1) See point of sale and packet over SONET.
(2) "Parent over shoulder." See digispeak.
POS - point of sale software that stores consumer cardholder data, making them a target of hackers. For a smaller business, security gets lost in the cracks becaue the owner is busy running the business and the third party integrator of their POS technology is not a security expert and has already moved on to their next client."
Petitti says there is a need to address the challenges of managing data security at multiple stores from a central location. "When it comes to grocers, while compliance validation effort is managed from a head quarters location and includes that central office or headquarters in the PCI DSS scope, it is incumbent on large organizations to make sure that they have implemented the same security controls at the store level. Examples of such technology include event log management and unified threat management See UTM. technology (UTM (Unified Threat Management) Refers to a stand-alone appliance or a software package that combines a firewall, antivirus, spam and content filtering as well as intrusion detection. See firewall, antivirus, antispam and IDS. ), which includes firewall, anti-virus and other critical security services Security services are state institutions for the provision of intelligence, primarily of a strategic nature, but also including protective security intelligence. Examples include the Security Service (MI5) and the Secret Intelligence Service (MI6) in the United Kingdom, and the delivered from a single appliance in a store environment. In addition, ensuring the proper installation of a validated payment application in all locations is vital to securing credit card data," he says.
Petitti believes it is important that retailers of all sizes, particularly grocers, monitor their security status on a more regular basis to help maintain compliance. "PCI DSS requires quarterly scanning, but as a security provider, we recommend scanning on a more frequent basis such as monthly," he notes Petittil. "More frequent scanning will help keep track of vulnerabilities as they become known and before they can be exploited."
Hannaford recently announced several security upgrades, including using Triple DES See DES.
(cryptography) triple DES - A product cipher which, like DES, operates on 64-bit data blocks. There are several forms, each of which uses the DES cipher 3 times. Some forms use two 56-bit keys, some use three. The DES "modes of operation" may also be used with triple-DES. PIN encryption. Customer card information is now encrypted from the PIN and at the store register and remains encrypted in the grocer's internal network. The company is also adding host and network systems to prevent malware from being installed and is working with IBM to monitor system intrusions.
Quinn-Andry agrees that during the past 12 months, retailers have taken the initiative much more seriously and have turned the corner in terms of their understanding and accepting of what PCI is trying to accomplish. "Retailers have gone from viewing it as a pain in the neck and something they are being forced to do to understanding why it is important, how it will protect their customers and how it can make their new business objectives more attainable. It's really about security best practices."
One grocer Quinn-Andry worked with has 17 stores, but is very close to level one merchant status because the majority of its customers use credit cards. "This grocer took the compliance process seriously, but struggled with the fact that they only have three people in their entire IT department. Their challenge is how to achieve compliance given the amount of legacy systems they are still using. They needed to determine how they could achieve compliance as cost effectively as possible. Sometimes we can keep costs down by piggybacking Gaining access to a restricted communications channel by using the session another user already established. Piggybacking can be defeated by logging out before leaving a workstation or terminal or by initiating a protected mode, such as via a screensaver, that requires re-authentication on to existing technology and other times their technology is so old it needs to be replaced."
RELATED ARTICLE: SAFETY CHECKLIST
Any organization involved in the processing, storage or transmission of cardholder data is at risk for payment card compromise and often times those who least expect it face the most risk. While complying with PCI is one of the best defenses against breaches, Trustwave has a list of additional safeguards for grocers:
1. Ensure that the payment application does not store prohibited cardholder data such as track data or card security codes. Payment applications should be validated ad compliant with PABP PABP Payment Application Best Practices (credit card processing standard)
PABP Polyadenylate-Binding Protein or PA-DSS. Web-based applications should undergo a strict third party code review and application penetration test A test of a network's vulnerabilities by having an authorized individual actually attempt to break into the network. The tester may undertake several methods, workarounds and "hacks" to gain entry, often initially getting through to one seemingly harmless section, and from there, annually.
2. Segment the payment card acceptance environment from public networks such as the Internet. Implement firewalls where necessary and be sure any firewall is properly configured to only allow inbound and outbound traffic Traffic originating in the continental United States destined for overseas or overseas traffic moving in a general direction away from the continental United States. that is necessary to conducting day to day business.
3. Check that third-party providers understand and operate in compliance with PCI. Require that third-party providers sign an agreement requiring them to perform their functions in accordance with PCI.
4. Properly secure remote applications and verify that two-factor authentication The use of two independent mechanisms for authentication; for example, requiring a smart card and a password. The combination is less likely to allow abuse than either component alone. See authentication. is enabled.