Wake Up to Risks

The race is on between companies that secure retail networks and hackers who compromise payment-card data.

According to the 2007 benchmark study conducted by Retail Systems Research (RSR), nearly 50% of retailers surveyed were in compliance with the Payment Card Industry’s (PCI) standards and regulations. That represents a pronounced increase from the 2006 study when only 28% met PCI compliance.

The RSR 2007 study revealed that the size of a retail organization influenced the degree of compliance, with mid-size retailers running ahead of the larger, Tier 1 retail companies that were, for the most part, still working toward compliance.

Challenges associated with compliance also varied with the size of the organization. A majority of the Tier 1 retailers, 58%, indicated that developing and maintaining secure systems and applications was the most difficult aspect of PCI compliance. For 64% of mid-size retailers, the greatest challenge was tracking access to their networks.

These statistics, shared during a recent Webinar co-hosted by Chain Store Age, RSR, Trustwave and AirTight Networks, led to a discussion of how retailers can best achieve PCI compliance and secure networks in a wireless world.

Convert C-level executives: It would be hard to find a retail executive unfamiliar with the infamous TJX Cos. data breach, at least some of which resulted from an unsecured wireless network, and the staggering casualties that ensued including some 94 million payment-card accounts compromised and liabilities that will likely exceed $4.5 billion.

Despite this toll, the RSR report revealed retailers perceive PCI compliance as having more benefit for technology than business performance.

“Only 29% credited PCI compliance as having ‘great value’ for their company,” stated Steve Rowen, partner, RSR, Boston.

Rowen’s suggestion was to elevate the discussion from the IT department to the boardroom, so decision-making executives might develop an appreciation for the value of compliance. However, he cautioned, “Focus on the business drivers, not the technology.”

Additionally, retailers need to understand that compliance with PCI requirements, although a necessary and logical starting point, does not in and of itself create a secure network.

Identify vulnerability in existing processes: Ironically, even executives who recognize the potential for breaches, particularly in wireless networks, are operating with a false sense of security.

For instance, most retailers understand that storage of payment-card track data after authorization is forbidden and have installed software programs that presumably are compliant with this regulation.

Terence McCarthy, senior channel manager at Trustwave, a Chicago-based information security and forensics investigation company that has conducted more than 250 investigations into compromised payment-card accounts, reported, however, that an alarming number of merchants are relying on software that fails to comply with this requirement.

“In 87% of the cases we studied, track data was stored and in some cases there were years of track data,” he said.

Blaming a security breach on ignorance or non-compliant software is not an option; neither is pointing fingers at a third-party provider.

“In 58% of the cases we investigated, the compromises were caused by a third-party provider such as POS developers, integrators or IT firms that were not following PCI requirements,” McCarthy stated. “At the end of the day, it is the merchant’s responsibility to make sure that its systems as well as those of its third-party providers are fully compliant and secure.”

Additionally, data gathered from Trustwave’s forensic investigations indicated that more than 80% of those with breaches failed to protect stored data.

The investigations also showed that the foodservice industry had the highest incidence of payment-card compromises, with 58% of the cases investigated by Trustwave falling into that sector. The retail industry, representing 15% of the cases, trailed as the second most victimized sector. (See chart on page 114.)

Address WEP flaws: One of the most vulnerable areas in wireless networks is the misconception that a Wired Equivalent Privacy (WEP) solution is sufficient for securing communications between handheld devices and access points. McCarthy noted that multiple weaknesses have been discovered in WEP-encrypted information, and hackers “can crack WEP keys in a matter of minutes.”

Although WEP problems can be addressed by converting to Wi-Fi Protected Access (WPA), replacing existing technology portfolio-wide is a cost-prohibitive exercise for many retailers.

Mike Baglietto, director of product marketing for AirTight Networks, Mountain View, Calif., concluded the Webinar with an introduction to his company’s WEPGuard solution, which serves as a proactive system to prevent wireless intrusion. The system protects against WEP attacks, ensures PCI compliance and leverages existing technology infrastructure by integrating with Cisco’s wireless local area networks.

The Webinar, “Safe Without Wires: How Retailers Can Be Wireless, PCI Compliant and Secure,” can be viewed at www.chainstoreage.com/airtightwebinar .