Avoid the PCI hype, but use standard as a rallying pointWith the Payment Card Industry (PCI) data security standard garnering significant mainstream attention, retail CEOs and CFOs are now more aware than ever before about the risks associated with credit card security. Retail businesses that fall within the scope of PCI are scrambling to bolster their security and avoid the damaging situations a few unlucky retailers now face.
Not only do security breaches cost retailers in terms of fines and lower revenue from cautious, brand-conscious consumers, they also cause lawsuits from financial institutions that want to avoid covering losses. Minnesota's recently passed Plastic Card Security Act further exposes retailers to the potential of lawsuits from consumers and there has been speculation that states including Massachusetts, Nevada and Texas may be heading down a similar path. The message to retail leadership is clear, they must do a better job of protecting sensitive customer data or suffer the consequences.
A shortsighted view
Retailers that focus solely on PCI compliance are taking a shortsighted view and making a critical mistake. In an industry where performance is measured on a weekly basis and where there are 12 distinct data points for reporting to Wall Street, as opposed to four in other industries, there is always a danger of getting caught in the moment and failing to adequately plan for the long haul. This is certainly the case for many retailers in addressing enterprise security and is further complicated by the myriad of security and privacy standards, laws and guidelines that are in play today.
Compliance standards and security regulations should be examined holistically in order to create a comprehensive security strategy that encompasses today's needs and lays a foundation for the future. While a retail brand may not extend overseas today, the pressures around globalization could soon take over and force growth in new markets. Even if this does not happen, it is likely that foreign legislation impacting retail will eventually make its way to the United States. The smartest, most successful retail executives will have accounted for this in advance and will not be caught off guard.
A retailer's focus must be on enterprise security as a whole. If it has a secure environment and follows best practices, compliance should follow easily. The reverse is certainly not true. There are a number of retailers that are PCI compliant, but they should not be considered secure by any stretch. Just in terms of PCI, what was acceptable in 2005 was no longer acceptable in 2006 and is laughable in 2007. Compliance standards mature over time, so retailers need to aim high and be prepared.
Damaging security breaches
There are two main types of security breaches – those that involve information theft and those that involve information tampering. For example, a thief could steal a bank account number in order to make ATM withdrawals, or they could change an account record to force deposits into their account. Both attacks need to be thwarted.
The most secure way to protect information is to not keep any around. It may sound overly simplistic, but many retailers store large amounts of customer information “just in case.” For every piece of data collected and stored, there needs to be a business reason for it. And when that data becomes useless, it should be purged in a secure manner. For a long time retailers collected Track2 data on credit cards even though once the card was authorized, there's really no value in storing it. When the costs of maintaining data securely are properly calculated, it may no longer make sense and significant savings may result in addition to reducing the security threat.
Assuming there's some amount of sensitive data that the business needs, how can it be best secured? The seven “As” will help methodically examine how information is secured. Authentication, authorization, assure privacy, audit, alarms, archive and administration are all critical for helping retailers secure their sensitive data and avoid costly breaches.
Authentication and authorization
Authentication is used to verify someone's identity. The most typical way to do that is to ask for an account name and password. The earliest attacks were aimed at stealing passwords so that thieves could steal computer time, so passwords are a type of data that needs to be secured. Companies should define a consistent account management policy that defines how accounts are provisioned and deprovisioned, how passwords are formed, and how often passwords must be changed. Identity management solutions are available that help manage user accounts and passwords securely. Retailers should consider the use of directory servers, access managers, and single sign-on software to ease this burden.
The type of authentication should be commensurate with the sensitivity of the data or functions to be accessed. A simple password is probably fine to clock in, but accessing the company's financials may require additional things like security tokens or biometrics.
Once a person's identity has been confirmed, his or her access should be limited to the minimum set of data and functionality necessary. Authorization determines these limits, usually based on an employee's role. For example, a store manager should have access to his or her employees' records, but not the records of other employees. Individual applications usually manage authorization, but there are some software products that help centralize this task.
In order to assure the privacy of sensitive data, retailers must protect data in transit and at rest. Statements like this are indicative of the confusion surrounding compliance as it can be interpreted in many ways. To get to the bottom of this requirement, it is necessary to dissect the sentence in parts, starting with the term “sensitive data.”
In terms of PCI, sensitive data is really referring to information found on a payment card. Clearly the goal is to prevent thieves from creating copies of cards using information such as the account number, cardholder name, and expiration date. But if you also consider Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) then the scope should extend to any "information about an identifiable individual." PIPEDA governs the collection, use, and disclosure of personal information so retailers that collect customer information for marketing, loyalty programs, deliveries, or just for product recalls must meet requirements for consent, retention, and accuracy as well as disclosure.
Moving on, retailers must “protect” information; that is, limit disclosure and modification to authorized purposes only. To ensure this, retailers must rely on technologies like encryption, firewalls and virtual private networks.
When data is in transit, it's traversing a network from one computer to another. Web-stores have traditionally used network-level encryption like SSL/TLS to protect communications, but in-store networks are usually in the clear. In a large store, it is not hard for an unscrupulous person to walk in and attach a notebook computer to an open Ethernet jack. Then they can use a network sniffer to record all the data that is exchanged for later analysis. Wireless networks are particularly susceptible to this practice since most of the work can be done from the privacy of a car in the parking lot. Although PCI specifies protection of data over public networks, retailers would be wise to consider measures on all networks.
Data at rest is almost always referring to the use of a database, since it is rare to store data elsewhere these days. So data either needs to be encrypted by an external application then stored, or rely on the database to handle the encryption. Most modern databases have built-in encryption capabilities, and the better ones will include things like encryption key management, transparent data encryption, and virtual private databases. It is expensive to modify software to add encryption, so relying on the capabilities of the database can save precious resources.
Retail businesses should first identify sensitive data in the organization such as customer information, financials, employee records, and payment data. Then the types of protection should be defined depending on the sensitivity of the data. Finally, the retailer should ensure protection at both the network and database levels.
Archives, audits and alarms
The first three As (authentication, authorization, assure privacy) are typically what retailers choose to address first. But there have been several breaches involving loss of archive tapes, so it's important to establish data retention policies for backups and archives. As always, the first step is determining if some data can be purged after a period. For the data that must be retained, data should be securely stored using dedicated backup software or the secure backup capacities of the database. And while it is clearly damaging for data to be compromised, it can be just as detrimental to a retailer if the encryption key is lost and data cannot be restored.
So at this point all the data should be fairly well secured, but one has to ask, how do we know? Intrusion detection software can help identify when a breach has occurred and set off alarms so that corrective action can be taken. Intruders tend to leave tracks behind that can be detected and researched.
While PCI specifies that access to cardholder information must be logged, retailers would be wise to broaden this to include any activities that might be suspicious. Typical things to write to an audit log include login attempts, no sales, discounts and printing of reports. Sarbanes-Oxley (SOX) and the UK's Companies Bill are known for requiring that financials be easily audited so that transgressions can be detected. Audit logs are key for detecting potential intrusions, and if one has occurred, determining the scope of damage.
California's SB 1386 requires retailers to notify an individual when his or her personal information has been compromised. Other states are considering similar laws, and there are indications that the federal government could take action and pass a similar law in the future. Enabling audit logs at the database level can be a cost-effective way to monitor all data access consistently.
Smart retailers will benefit
The final “A” is administration, which is usually the least funded. It's incumbent on any business to publish and train staff on company security policies. In the retail industry, much effort is spent on loss prevention, but the focus is less about preventing data theft. But organized crime is forcing the retail industry to look beyond simple loss prevention and look at security more comprehensively.
Retail CEOs and CFOs should use PCI and the attention it is receiving as a rallying point to take a fresh look at enterprise security and build comprehensive policies that take into account all the available standards and regulations. As security risks continue to increase, so will the quantity of laws and regulations. To protect the interests of their customers, brand and key stakeholders, smart retailers will take a proactive stand and exceed today's minimums. They will effectively leverage strategic partners and innovative technology to protect sensitive customer data, their brand and the interests of their shareholders. Otherwise, they may find their retail business in the headlines for all the wrong reasons and wonder why they had failed to learn from the misfortunes of their peers.
-David Dorf is a member of the Oracle Retail Product Strategy team