Tightening Data Security

As the deadline for the new Payment Card Industry Data Security Standard looms on the horizon, it’s important for chains to get their data-security houses in order. That requires reviews of solutions and data flow, and implementing technology that can aid in the stringent testing process.

When chains hear about new releases of standards, dollar signs often flash before their eyes. But when the PCI DSS 1.2 standard was announced, the industry released a collective sigh of relief.

The new standard requires few remediations and investments for those up to date with compliance. They also clarify language on previous issues and requirements that had stymied retailers.

Overall, the new standard clarifies requirements within wireless security, new anti-virus protection and network firewall settings. For example, all public Web applications must include a firewall, and chains are required to add stronger encryption for wireless networks. Chains must also transition from WEP to WPA after June 30, 2010.

The 1.2 standard requires the use of antivirus software for all operating system types, including point-of-sale systems. In addition, retailers storing card-holder data offsite must access these locations on an annual basis, and documents containing this data must be secured.

For the most part, version 1.2 is about tightening up some language and ensuring that retailers are aware of the steps that will keep them compliant. “This set of standards is clarified much better than past versions, but there is a bigger message,” Robert Masse, consultant for Montreal-based specialty retailer Reitmans, said at the recent NRF Convention & EXPO. “Regardless of the revisions, when it comes to PCI, chains should be most aware of where the data goes.”

Unfortunately, monitoring data flow tends to be the biggest stumbling block for retailers. Analysts and auditors report that the easiest way to stay on top of PCI compliance is to have a complete grasp of what data they collect and where it finally ends up.

“The best guideline to follow is where is the data coming in from, where it goes and where is its final resting place,” said Dave Shackleford, director, Center for Policy and Compliance, Configuresoft, a Colorado Springs, Colo.-based enterprise configuration management company. “It sounds like a simple concept, but this is very difficult for some chains.”

The more distributed a retailer is across a region or the nation, the harder it is for chains to centralize compliance and security measures. Add in the many different POS solutions the enterprise supports, and the challenges intensify. Reitmans, for example, supports 2,500 POS units, 1,200 workstations and 145 corporate servers.

”We went through terabytes of data to understand every system this information hits,” noted Masse. “We analyzed every business process data flowed through, then secured every solution it touched.”

Tracking and securing data and related systems is only the first step on the road to PCI compliance. Staying compliant requires conducting internal audits. While third-party auditors are important, adhering to regular internal tests are paramount.

Masse has taught Reitmans to have regular drills on systems across the board, including Web applications, both wired and wireless telephone networks, databases and hardware. “We are big on metrics, and testing helps us make swift corrections on vulnerabilities and ensure we are as secure as possible,” he said.

Internal testing could get another boost as automated assessment tools gain more industry attention. Automated assessment solutions identify all data traffic between networks and the cardholder data network, according to PCI DSS requirements—a practice that had been often manual, cumbersome and error-prone. Solutions also provide compliance reports to keep retailers abreast of results.

While there are more options available to retailers, there is no silver bullet. Chains also need to remember, “PCI is not a goal, but a state of being,” Masse said. “And retailers can only achieve it if they learn and live by the correct steps required to protect cardholder data.”