PCI Complaince: Work Needed

Continuing the effort to bring the safeguarding of customer data to the forefront of retailers’ discussions, Retail Systems Alert Group (RSAG), Upper Newton Falls, Mass., hosted a half-day PCI Compliance Workshop during the ERI eXchange in June. While the event brought a highly engaged group of retailers face-to-face with the experts that can provide practical, actionable data-security practices, it also proved that there is much work still to be done.

During breakfast, Jeff Wakefield, VP of marketing, integrated systems for VeriFone, the workshop’s sponsor, gave the audience some great information regarding the need (and methods) to improve credit-card PIN (personal identification number) pad-device security. Highlighting several recent breaches—where PIN-pad devices were the point of origination—Wakefield shared details about how frighteningly easy PIN-pad fraud is to commit. He also revealed how simple and effective a stringent hardware-monitoring process can be.

“The price of noncompliance will be passed directly to the retailer,” he noted. “Yet as an industry, we are still not doing what we can.”

After breakfast, Roland Tufts, VP credit risk and financial operations, TD Banknorth, provided a valuable overview of the scope and necessity for card-data regulation. He spoke directly to the need for retailers to enact stricter access controls within the organization to safeguard the central database. This sentiment echoed one of the points we at RSAG have been driving at for some time. Our research has consistently revealed that ad-hoc queries to retailers’ central databases are steadily rising. The No. 1 offender? The marketing department. The need for stricter access controls is dire.

Next up, Mike Dahn of Halcyon Business Consultants delivered a riveting presentation in which he gave retailers actionable steps to avoid a data breach. “The point of sale may be the collection point of risky data, and it may well be what gets the most media attention. But the real culprit is infrastructure.”

Dahn, who has performed hundreds of PCI assessments for retailers, outlined how today’s cyber criminal has honed in on card-present merchants. This is a growing trend, as the street resale value of a personal-account number ($3 each) pales in comparison to that of track data ($35-$50 a piece). As a result, e-commerce retailers are not as attractive to thieves as those who operate physical stores.

“It is important to notice how similar the hacks and breaches have become,” he stated. While these are not CIA spy-quality crimes, by knowing where data is, breaches can virtually be eliminated.

Stephanie Cline, former CIO of Jack in the Box Inc., then gave a practical “real world” view of PCI compliance and security measures. The CIO (who retired in March), spoke openly of the “balancing act” of attaining compliance and driving profits.

Processing 45 million credit-card transactions each year, Jack in the Box operates thousands of restaurants that are currently experiencing both increased credit-card use and dramatic employee turnover. Thus, there is a lot of information to protect.

“No one wants to be the person who is seen as too cautious within an organization,” she said, “But if you think about how quickly all your years of progress can be lost, you will do things differently.”

Jack in the Box operates more than 2,000 local area networks, and most stores have at least 10 PCs. “So strategic decisioning for when and where a security refresh occurs is critical,” she added. Cline also shared her personal opinion regarding the Payment Card Industry’s data-security standard, citing that, “The PCI mandate gives an individual credibility when asking to secure data.”

Lastly, Benita Kahn gave a presentation focused squarely on how laws and regulations should play a vital role in a retailer’s security program. A partner at Vorys, Sater, Seymour, and Pease, a law firm that has aided retailers in compromise occurrences, Khan is a former retailer.

Based in large part on a recent law passed in Minnesota that applies financial liability for breached data—including card replacement—directly on the merchant, Khan noted that the days when a retailer felt little financial sting from a breach are over. “With changing laws, the price of a data breach is about to skyrocket.”

“It is hugely important to develop a data-storage diagram, a plan to contain and limit exposure if breached, and to know exactly which parties must be alerted first (merchant bank, U.S. Secret Service),” she stated. “Remember, a vendor will not be responsible for notifying your customers—it will be on you.”