With credit card data hackers becoming increasingly innovative and sophisticated in their methods, it’s more important than ever for retailers to comply with current security standards set by the PCI Security Standards Council.
By Marilyn Odesser-Torpey, Associate Editor
Target, Supervalu, UPS, PF Chang’s and, most recently, Home Depot and even Dairy Queen—American retailers are being victimized by credit card data hackers at an increasingly alarming rate. This past August, the Secret Service and Department of Homeland Security issued a special alert warning that point-of-sale (POS) malware known as “Backoff” may have infected systems in over 1,000 organizations, threatening the security of credit card holder data.
To avoid a financial and consumer confidence catastrophe resulting from a credit card data breach, all retailers, including convenience stores, must do everything possible to make sure their information is resistant to attack.
That is why they are mandated to have the latest version, 3.0, of the Payment Card Industry Data Security Standard (PCI DSS) in place by Jan.1, 2015.
“Our customers must have confidence and trust that we have a secure environment and are committed to protecting their payment card data utilizing current technology and best practices,” said Greg Laroux, vice president of information technology at the 61-unit, Valparaiso, Ind.-based Family Express c-stores. “One avenue is being in compliance with PCI DSS Version 3.0.”
The new requirements were developed by the PCISSC, an organization that was founded in 2006 by the major payment credit card brands and now has more than 650 participating organizations representing merchants, banks, processors and vendors nationwide.
Bob Russo, general manager of the PCI Security Standards Council, pointed out that PCI DSS Version 3.0 provides layers of defense to ensure that businesses can detect, prevent and defend against attacks on their systems.
“Recent breaches underscore the critical importance of a multi-layered approach to credit card security that addresses people, process and technology,” said Russo said.
While today most organizations have a good understanding of PCI and its importance in securing card data, implementation and ongoing maintenance of security controls can be a challenge, especially in light of increasingly complex business and technology environments, Russo explained.
“Just like a lock is no good if you forget to lock it, these controls are only effective if they are implemented properly and as part of an everyday, ongoing business process,” Russo said. “Version 3.0 covers a wide broad base of technologies and processes, such as encryption, access control and vulnerability scanning, to offer a sound baseline of security.”
The Data Security Committee of Conexxus (formerly the Petroleum Convenience Alliance for Technology Standards or PCATS) said in a recent report that among Version 3.0’s security controls are more assessments to identify and note vulnerabilities and penetration tests to determine whether unauthorized access or other malicious activity is possible.
“Preventing malware attacks requires proper processes for authentication,” Laroux said. “PCI DSS 3.0 provides clarification and guidance on how to strengthen these processes.”
As retailers are increasingly using third parties to manage various parts of their business, it is important to note that in a recent study it was found that 63% of investigations revealed a third party introduced deficiencies easily exploited by hackers, PCI reported. The Conexxus report recommended that third-party service providers that require access to the retailer’s systems should be given special authentication credentials and remote access should be enabled only for the time period needed, then disabled.
“Monitoring vendor access provides assurance that vendors are accessing only the systems necessary and only during approved times,” the report explained.
To prepare for the enforcement of Version 3.0, York, Pa.-based Rutter’s Farm Stores plans to conduct a “gap analysis” with a third-party auditor to see if and where vulnerabilities may exist in the company’s credit card system, said Bernie Frazer, director of technology for the 59-store chain.
Based on his reading and understanding of Version 3.0, Frazer does not think that Rutter’s will have to make many changes in the hardware or software of its current credit card protection system.
“We already have systems in place that alert us if someone logs in and gets denied for the password,” Frazer said. “For us, compliance will probably require that we have the third-party auditor on site for more time to witness the gathering of our data.”
Two years ago, Rutter’s created a PCI manager position. His responsibilities include making sure that field technicians and headquarters personnel know the company procedures to stay within compliance of the most current standards.
“Security comes down to the everyday users,” Frazer said. “We need to be vigilant all the time about who has access to the system and why and how they are using it.”
PCI SSC recommends that retailers keep a close eye on their hardware and software components including point of sale system, card reader in the fuel pump system dispenser and other points of interaction devices. All should be inspected periodically and personnel should be trained to detect evidence of tampering or substitution.
While compliance may come with a cost, whether hiring a third-party Quality Security Assessor (QAS), investing in necessary hardware and/or software, the price for not being in compliance can be much higher should a system be hacked. PCI SSC cautions that if the retailer is at fault, the company can incur penalties and even lose the right to accept payment cards.
Even worse is the damage stolen data can spur due to the loss of consumer confidence.
“What dollar value can you put on illegally obtained customer information and a company’s reputation once breached? For example, Target continues to struggle with its customers’ perception of using their payment cards,” Laroux said.
Laroux pointed out that constant diligence is and always will be the key to security.
“We will continue to train and reinforce what PCI compliance is, how it benefits our customers and how it keeps us profitable,” Laroux said. “We will enhance our processes and procedures, increase the number of man-hours to monitor, use technology and increase our budget to ensure we have a secure environment.”
Retailers can access the standards and detailed summary of the changes from Version 2.0 to 3.0 at www.pcisecuritystandards.org.
In a special alert sent to retailers in August on the “Backoff” malware breach that infected electronic cash registers and similar POS systems, the PCI Council strongly encouraged retailers to take immediate action on the following four steps:
1. Contact your provider of antivirus solutions and ensure you have the most recent and up to date version of antivirus software that will detect “Backoff” and other malware.
2. Run this solution immediately.
3. Review all system logs for any strange or unexplained activity, especially large data files being sent to unknown locations.
4. Require all default and staff passwords on systems and applications to be updated. Provide good guidance on choosing a secure password.
Should systems be found to be infected or unusual activity suspected, retailers should contact their acquiring bank immediately.
• PCI DSS Version 3.0 provides layers of defense against malware attacks.
• Maintain security controls every day.
• Monitor vendor access.
• Inspect systems periodically.