Locking the data vault

While PCI DSS compliance is a good starting point, retailers need to be vigilant about securing the avalanche of data they collect every day. By Deena M. Amato-McCoy If there is one lesson to be learned from the security breaches at Hannaford and Heartland Payment Sys­tems, it is that the retail industry can’t let its guard down for a moment when it comes to protecting customer data. Patient, resourceful and creative data thieves are willing to go to great lengths to swipe credit card information that can yield millions when sold on the Internet. While industry executives say compliance with the Payment Card Industry Data Security Standard (PCI DSS) for safeguarding credit card data is a good start, even following PCI DSS to the letter is no guarantee against being hacked. Although many retailers thought they had taken the necessary precautions to keep this information safe and sound in the past, the latest breaches demonstrate that there is more work to be done. “Security is integral part of doing business today and if recent unfortunate breaches did anything, they are reinforcing that issue,” says Bob Russo, general manager for the PCI Security Council, based in Wakefield, Mass. While retailers of all sizes want to avoid the cost and bad publicity surrounding a data breach, one incident can put an independent grocer out of business, Russo says. “When Hannaford got hit last year for example, it affected them adversely. They paid their fines, made their remediations and reassured consumers, who are again the chain’s advocates,” he says. “For a small, independent grocer, however, a security breach could conceivably put them out of business.” Small grocers are not the only segment struggling to get compliant. Based on The State of PCI DSS Compliance at Organizations Today survey, sponsored by Atlanta-based data security solutions provider nuBridges and conducted by Computerworld, more than half of the surveyed companies reported that they have initiatives aimed at achieving PCI DSS compliance; however, two-thirds have yet to pass a PCI DSS audit. Almost 75% of companies revealed they are not entirely satisfied with how they store customer data, the study said. More sobering is that 41% of IT and business leaders reported their organizations saw some type of data breach in the past 12 months. “Results prove that even when companies pass PCI DSS audits, they are not always comfortable with how well they can protect consumer information—a concern that is confirmed by high-profile breaches at compliant organizations such as Heartland Payment Systems,” says Gary Palgon, nuBridges’ vice president of product management. “Many companies have spent considerable time and resources to achieve compliance, yet still face numerous ongoing PCI DSS and security issues.” The fragile economy doesn’t make investments any easier. “While IT budgets must make provisions for PCI remediations, the most common question today is how to rationalize where these funds are pulled from within the budget,” says Prat Moghe, general manager of the data compliance division for Marlboro, Mass.-based Netezza, a provider of data warehouse and analytic systems. It is an especially hard pill to swallow as IT spending dropped by an average of 8% across the retail industry while security spending increased by 11%. “What makes this even harder is retailers are spending money on a process that is not bringing innovation or helping to grow revenue,” says Craig Tieken, vice president of products for First Data, an Atlanta-based merchant processing services provider. Making the leap In addition to the challenge of funding data security upgrades, it can be difficult to determine where the biggest risks lie, according to industry experts. Bombarded with information about the newest mandates regarding PCI, as well as threats of security breaches, “chains struggle to get the correct plan in place to pinpoint all potential points of attack,” says Netezza’s Moghe. “This makes it easy to get confused on how to protect the most sensitive information.” A good rule of thumb is to remain cognizant of where every piece of data flows and resides within a retail operation. This includes a complete audit of every system that would handle customer-sensitive information. Once the analysis is complete, the real work of protecting the data begins, according to industry executives. PCI is a standard assembled by the Payment Card Industry Security Standards Council to help organizations that process card payments prevent credit card fraud through increased controls around data and its exposure to compromise. Early on, most companies addressed the issue by adding new security measures to networks, firewalls and other systems that surrounded data repositories. While this was an important step, too many companies failed to safeguard one major component: the database itself. In the wake of unfortunate breaches, the industry also learned that PCI was never intended to be the silver bullet regarding security. Rather, companies should consider the standard more of a baseline, according to industry experts. “PCI is not a ceiling. It is really the bare minimum that companies should be doing and it is a good baseline to start from,” said PCI Security Council’s Russo. Adding layers The next step is to add layers, such as encryption measures, that will protect databases and access points into the data. This will become a pre-requisite as one of the newest PCI rules mandates that retailers add new security measures within wireless security, new antivirus protection and network firewall settings. This includes adding firewalls for all public web applications and stronger encryption for wireless networks. Chains must also transition from WEP to WPA after June 30 of this year. Tokenization is an evolving solution that can streamline these mandated encryption efforts. The process electronically replaces sensitive data with unique identification symbols that retain all the essential information without compromising its security. “Tokenization decreases the number of data points that maintain credit card data and the technology is gaining traction as a means for lowering ongoing compliance costs,” says nuBridges’ Palgon. “Substituting a token—or surrogate value—in place of the original data means there are fewer occurrences of credit card data in the enterprise, which reduces the scope of systems subject to the PCI DSS mandate.” NuBridges’ tokenization solution, which is being used at retailers including Wal-Mart and consumer packaged goods manufacturers such as Del Monte Foods, Land ‘O Lakes and Heinz, takes affect as soon as a credit card is used at point-of-sale. At this time, a token is created and stored in the retailer’s database and the actual card account number is encrypted and stored in a secure data network, often called a lockbox. This lockbox, which resides in a remote section of the company’s network behind a firewall, uses dedicated servers and network equipment to protect sensitive credit-card data. Since these tokens cannot be referenced back to real credit-card numbers, they are useless to hackers. First Data also offers a tokenization program. The solution is integrated within a payment card terminal that resides at POS. As a customer’s credit card is swiped through the device, the first six digits are replaced with a public key. The captured card number—in its entirety—and associated customer information is encrypted and transmitted offsite to First Data’s data center, where it’s decrypted so it can be processed through the payments switch and then re-encrypted. The re-encrypted data is then stored in an offsite database maintained by First Data, where it keeps its tokenized characteristic for the duration of its lifecycle. The program is currently being piloted at an East coast retailer and the first supermarket is expected to begin testing the solution this spring, Tieken says. The next year will be a busy time for data security professionals, according to industry executives.  say retailers are also knee-deep in complying with Section 10 of the PCI standard, which requires all companies to track and monitor all access to cardholder data. This is forcing retailers to audit all users with data access  and protect all data logs from intentional modification or tampering.