Risk management for enterprise CIOsExecution: Dodge risks in practice <<previous|next>> :Malware real threat to holiday shopping on company time
PCI compliance a good start, but not enough
By Linda Tucci, Senior News Writer
27 Mar 2008 | SearchCIO.com
The news earlier this month from Hannaford Bros. Co. was ugly: 4.2 million credit and debit card numbers stolen by a cyberintruder during the past three months. The breach affected 271 stores in the Hannaford supermarket chain, 23 independently owned markets and 70 banks nationwide. Some 1,800 fraud cases have already come to light. Before week's end, the first of possibly many class-action lawsuits was filed against the Scarborough, Maine-based grocer.
The theft pales in comparison with last year's massive data breach at The TJX Cos. involving 94 million cardholders, but the Hannaford intrusion marked another worrisome milestone. The heist occurred when customer data was in transit, as opposed to in situ in a database -- the first known time that has happened on such a large scale.
Even scarier, unlike an estimated 50% of retailers out there, the company was in compliance with the Payment Card Industry Data Security Standards (PCI DSS) established by the major credit card companies, including Visa Inc. and MasterCard Inc., to ensure the privacy of stored customer information.
"PCI compliance is not enough," said Steve Rowen, partner and PCI expert at Retail Systems Research LLC (RSR), a Miami research firm specializing in technology and business challenges in the retail industry.
"Visa is a bank, not an IT company. The notion that Visa should be telling retailers, particularly retail IT-ers, how to secure their information is really a bit silly," Rowan said.
Visa, to its credit, was quick to identify the problem associated with the collection, retention and use of customer financial data by retailers, said Brian Kilcourse, managing partner at RSR and co-author with Rowen of "Customer Data Security, PCI and Beyond," a 2008 benchmark study of how retailers are approaching the PCI mandate.
Retailers, however, are collecting all kinds of customer data to customize and fine-tune their product offerings and improve customer service.
"PCI focuses exclusively on credit card payment data, but there is other stuff collected that is just as dangerous," Kilcourse said. "A good portion of the breaches are Social Security numbers. PCI has nothing to say about Social Security numbers."
The point? Looking at PCI compliance as a "checkbox project is not enough," Kilcourse stressed. Security is a fluid process that requires proactive measures to minimize the risk associated with the capture and retention of customer data.
Retailers who wish to tackle customer data security from a proactive standpoint "must successfully incorporate their payment-specific security measures into larger business initiatives."
PCI pain points
The most common mistake retailers make in becoming PCI compliant, Kilcourse said, is to "map their applications to the mandate."
"Retailers will come up with to-do lists, so, for example, 'We have customer data in this application, therefore let's map it over the mandate,' as opposed to looking at all their applications through the lens of the mandate," Kilcourse said.
A good portion of the breaches are Social Security numbers. PCI has nothing to say about Social Security numbers.
Brian Kilcourse, managing partner, Retail Systems Research LLC
But there are myriad places where data can be grabbed by a shadow or external process, Rowan said, and retailers know this -- even if they can't quite face up to it.
When Kilcourse and Rowen asked retailers to name the most difficult aspect of complying with PCI, the No. 1 hurdle cited by most was the ability to monitor access to the network. "There are so many points of data transmission in the network, they could not monitor them."
In the case of the Hannaford breach, it is believed the credit and debit card numbers were stolen while in transit from the pin-pad device (where the card is swiped) back to the database -- a weak spot firms like RSR have been warning retailers about since before PCI was instituted.
Retailers need to encrypt the data in all of its forms, not in its in-state form, Rowan said.
"A lot of retailers cringe when you say this, because there are so many littler discreet handoffs of this data between Point A and Point B, that it can seem like a daunting task," Kilcourse said.
Let us know what you think about the story; email Linda Tucci, Senior News Writer.