Hardening the Target

Following the release of new standards for payment-card-industry (PCI) compliance in September, 2006, many retailers were confused about what was required. Issued by the PCI Security Standards Council, an independent organization based in Wakefield, Mass., that provides management of the Payment Card Industry Data Security Standard, the updated and expanded requirements were intended to harden the target against breaches of card data.

Recent breaches at retail organizations such as TJX and Stop & Shop, and the ensuing collateral damage that ranged from consumer withdrawal to lawsuits and financial penalties, have reinforced the critical need for PCI compliance and increased security. To help retailers gain a better understanding of the topic, an educational Webinar was presented by Chain Store Age, Denver-based Accuvant and Aruba Networks of Sunnyvale, Calif.

“Demystifying PCI Compliance” may be viewed in its entirety by visiting www.chainstoreage.com and clicking on the icon for this Webinar.

Following the presentation, retail attendees had an opportunity to pose questions to the panelists. Aruba Networks representatives Manav Khurana, product manager, retail solutions, and Joshua Wright, senior security researcher, along with Brian Serra, PCI program manager of Accuvant, offered the following answers to attendee questions:

Q: Is becoming PCI-compliant enough to defend against network exploitation?

A: PCI compliance is the minimum requirement for what is necessary to protect networks. It is a good first step for protection, but there are always more steps that can be taken to mitigate emerging threats. How much a retailer does usually correlates to the cost-risk analysis—the cost of securing the network vs. the cost of recovering from a breach.

Q:How long does it take, from start to finish, for a retail organization to become PCI-compliant?

A: The overall timeline differs with the size of an organization and the complexity of its cardholder environment. We have seen retailers that have little to no security in place take about a year to get up to speed. Retailers with some security in place may achieve PCI compliance in as little as two months.

Q:What are the most common problem areas retailers should focus on securing?

A: Areas where retailers are most often out of compliance involve the absence or inadequacy of data encryption. It is not just about protecting the card number; many retail organizations retain the track data from the magnetic strip on the back of credit cards. Retaining that data is forbidden.

Another big hurdle retailers face centers around the audit and tracking of security breaches. Retailers must be able to determine and retrace what happened and what was stolen, as well as establish what can be done to prevent future breaches.

Q:What are the ramifications to PCI compliance when additional applications are introduced in the network?

A: PCI compliance is not a one-time project. If you are the compliance manager within a retail organization, it is your responsibility to understand new applications that are added to the network and determine if they are PCI-compliant or what has to be done to make them compliant.

Q:How do you protect against problems such as the duping of credit-card data at the point of sale?

A: There are no controls within PCI compliance to address theft at the point of sale or securing POS hardware. We often hear about “skimming” techniques in restaurants that facilitate theft of credit-card data, and we’ve seen similar problems with devices at ATM machines. However, establishing physical security checks would help to some extent.

Q:Does the PCI requirement for securing wireless networks include every store in a retailer’s portfolio as well as its headquarters?

A: The requirement is to monitor the cardholder environment, which suggests retailers do need to secure their stores as well as their headquarters, distribution centers and other ancillary facilities—basically any environment where wireless applications are used, because rogue attacks could penetrate the corporate network through those connections.

Q:Who is responsible for auditing to confirm PCI compliance and what are the monetary fines?

A: Typically the fines are imposed by the card brands—Visa, MasterCard and Discover. They may fine the retailer’s third-party processor or the acquiring bank, but because of merchant contracts, retailers are likely responsible for payment.

When retailers are dealing directly with the card companies, the minimum fine for data loss is $500,000. For non-compliance without data loss, fines start at $50,000. Additionally, if cardholder data is stolen in mass quantities, the retailer will likely be required to pay a re-issue fee of as much as $200 per card.