Cover story: Protecting credit card numbers has a positive impact on business
When the Steak n Shake Company began accepting credit cards a few years ago as a way to increase revenue and appease its plastic-friendly clientele, the full-service fast-food chain famous for its steakburgers was forced to add another item to its menu: Payment Card Industry Data Security Standard (PCI DSS) compliance.
The Indianapolis-based public company, with about 480 locations in the South and Midwest, started as a Level Four-recognized merchant, meaning it was one of some six million businesses processing up to one million yearly Visa or MasterCard transactions. But that designation did not last for long.
"As it [the new point-of-sale system] started to get rolled out, our transaction volumes began to grow," recalls Sean Smith, 35, director of strategic services and the pro responsible for IT security at Steak n Shake. "Last year we were notified we became a Level One merchant. We conduct six million transactions a year."
On the surface, such a distinction — Visa only counts 327 merchants as Level One and they are responsible for half of all card transactions — may sound like reason to celebrate booming business. But, thanks to PCI DSS, a 12-step data security standard that applies to any organization which stores, processes or transmits card payments, the balloons and champagne had to wait.
No longer was Steak n Shake, with its 22,000-employees, just another face in the crowd. There were significant and expensive upgrades to log and patch management, event monitoring and anti-virus deployments. Most of all, Steak n Shake's new found status as a Level One merchant meant far greater scrutiny, including an annual onsite review, and quarterly network scans provided by Redwood Shores, Calif.-based Qualys.
By contrast, Level Fours do not require any validation.
"Going to Level One is what forced our hand in making sure we were doing all of this," Smith says. "Security as a whole had to increase exponentially across the entire organization."
With Steak n Shake expecting to be fully compliant by the newly imposed Sept. 30 deadline for Level One merchants — or face monthly fines — the company serves as a poster child for how far PCI DSS has come in a year.
"It's gone from 0 to 60 in three seconds," says Seana Pitt, vice president of merchant policy and data quality at American Express.
Pitt also serves as chair of the PCI Security Standards Council, charged with increasing awareness and driving adoption of PCI DSS 1.1, introduced in September. "The question is no longer if I'll get compliant, it's how fast can I get there?"
Many organizations such as Steak n Shake are realizing that investing in PCI can help improve their overall security posture, even if it does not guarantee freedom from risk.
"I think companies do see PCI as an opportunity to protect their credit card numbers," says Dave Howell, a solutions marketing manager for RSA Security, part of EMC, who helped lead a survey of businesses impacted by the standard. "This is a core set of best practices for IT security, and once you achieve them, you will certainly be in a better place."
Still, while the standard's biggest selling point is its prescriptive nature, real challenges exist, including implementation, audit costs, dealing with legacy systems and overcoming confusion over what is required, experts say.
"To actually address data isn't necessarily that easy once you start peeling it apart," Howell says.
Meanwhile, the largest pool of businesses required to comply — the Level Four merchants consisting of mostly small companies and mom-and-pop shops — are the least successful at compliance, so much so that Visa considers educating this group a top priority for 2007.
"It's really an educational issue," says Bob Russo, the PCI Security Standards Council's general manager. "Bob's Pizzeria doesn't know the first thing about taking credit cards. They know how to make pizzas."
Bringing the brands together
The road was paved last September when the PCI Security Standards Council was formed, thereby bringing together the five major payment card brands — Visa, MasterCard, Discover, American Express and JCB — to support a uniform standard on safeguarding cardholder data. Up until then, merchants were forced to comply with each of these brands' individual guidelines.
"It was important we got clarity and consistency among all the brands," Russo says. "The fact that five competitors got together and agreed on one standard they would all accept — the terminology, clarity, consistency — it was just a milestone."
The council has worked feverishly this year to get the word out — "I literally live on an airplane," Russo says — but arguably nothing has helped more than the plethora of data breaches that have made headlines since the new standard was announced, most notably TJX.
The TJX Companies, the Framingham, Massachusetts-based parent of Marshalls, T.J. Maxx and other retail chains, was believed to have been storing unauthorized information, such as track data, before the company admitted in January that hackers compromised some 46 million customer credit card numbers. The incident set off a flurry of lawsuits by customers and banks who contend TJX should be responsible for its shoddy security, as well as a separate investigations by the Federal Trade Commission and 37 state attorneys general.
MasterCard has publicly said TJX was not compliant when its database was breached, and Eduardo Perez, vice president of payment system risk at Visa USA, says he has "never seen an entity compromised that is PCI compliant."
TJX has admitted in FTC filings that it has spent some $20 million already to address costs related to the breach.
"God forbid you're the next one in the paper," says the PCI Security Standards Council's Russo. "It's certainly cheaper to comply than to go back and deal with all the stuff if you're not compliant."
But compliance clearly does not come easily. According to the latest Visa statistics, about 38 percent of Level One merchants have reached compliance, although the credit card company says the "vast majority" have conducted their initial assessment. Meanwhile, just more than 27 percent of Level Two businesses are compliant. Visa has established deadlines — Sept. 30 for Level One merchants and Dec. 31 for Level Two merchants — to reach compliance. PCI mandates a number of requirements, including maintaining a firewall, encrypting transmission of cardholder data, running a vulnerability management program and controlling access.
Eliminate unnecessary information
But payment brand and PCI Security Standards Council officials say organizations, especially those still in the initial phases of addressing compliance, should make their priority eliminating the storage of unnecessary information, known as track data. This includes the data contained on the magnetic strip of the card, including the PIN and credit card verification codes. The message: Don't store it if you don't need it.
"If criminals can get that information, it generally proves more effective in trying to perpetrate fraud," says Jennifer Fischer, director of enterprise risk and compliance at Visa USA.
This is such an important mission at Visa that the payment brand recently launched a program, pledging $20 million in incentives to acquiring banks who help to educate merchants and ensure their compliance with PCI. The Visa program is aimed at eliminating the storage of prohibited credit card data by Level One and Two merchants.
Like fines, the acquirers are encouraged to pass incentives off to the merchants. But, some merchants say the gains barely pay for the cost of an audit.
A lot has happened since last September, when the PCI Security Standards Council was formed and the mandate became uniform. And as some companies spend millions of dollars on the road to compliance, providers of PCI-oriented hardware and software are seeing big gains. Many vendors are tailoring their offerings to specifically speak to the standard. In January, the PCI Security Vendor Alliance formed. The goal of the group, made up of data security firms, is to work with the PCI Security Standards Council to evaluate PCI compliance-focused products.
The PCI mandate also has gotten application developers thinking security. Brian Cohen, president and CEO of SPI Dynamics, recently acquired by HP, says his Atlanta-based application security company is receiving unexpected information requests from software developers, who traditionally have considered security an afterthought. One reason for the change in mindset, says Cohen, is PCI. Other industry players concur.
Douglas Medina, senior director, enterprise marketing at Germantown, Md.-based Hughes Network Systems, a managed VPN broadband provider and an IBM partner, says his company has been forced to create a PCI compliant product.
"To be honest, it was our customers that were demanding it," he says. "They would not sign a contract if we did not provide that service."
The standard also has meant big business for companies such as Chicago-based AmbironTrustWave, which doubles as a qualified security assessor (QSA) and approved scanning vendor (ASV) — the two types of contractors required to validate Level One merchants. (Level Two, Three and Four merchants are not required to work with QSAs for validation, but they must pass quarterly scans).
"We're there to help them measure their current status against the standard," says Michael Petitti, Ambiron's chief marketing officer, adding that merchants of all sizes are at risk. "It's not how large you are as an organization. It's really the data that you hold that these folks are looking for. You are considered a target by the hacking community that has standardized itself and organized itself to go after all those types of entities."
Petitti says the breaches the public does not hear about usually involve the Level Four merchants, the Bob's Pizzerias of the world.
Many smaller businesses use third-party applications, and some of those store track data. But Visa this year began a concerted push for acceptance of a payment application best practices program in which it lists those vendors who produce QSA-approved software to process cards and meet compliance guidelines.
Meanwhile, the PCI Security Standards Council, which manages the standard, has elected an advisory board — consisting of financial institutions, merchants, credit card processors and point-of-sales vendors — to offer feedback to enhance the standard. Some members include Bank of America and Wal-Mart. But Gartner analyst Avivah Litan says that for the new board to have any real impact, it needs "voting power and expanded authority to resolve problems."
State governments are also paying attention to the standard. While the payment industry seems content with keeping the standard out of lawmakers' purview, this is not stopping some from creating legislation referencing PCI. For example, the Minnesota Senate in May approved the Plastic Card Security Act. The law prohibits companies from holding onto the data maintained on the card's magnetic strip. Lawmakers
mentioned the TJX breach because authorities believe the plan to attack one of the company's databases began when hackers penetrated the wireless connection from the parking lot of a St. Paul, Minn. Marshalls.
Similar laws are being crafted in California and Texas. It is a trend analysts believe may shift the burden of credit card breaches from the banks to the merchants, and this is happening as compliance deadlines approach. Acquirers may be fined $5,000-$25,000 per month for violating the standard.
In most cases, through pre-signed agreements, any fines are passed down to the merchants. So far, though, most of the fined companies have been those that experienced breaches. Visa, for example, levied $4.6 million in fines in 2006, up from $3.4 million in 2005.
Back at Steak n Shake, Smith says the financial impact of a potential breach is what convinced executives to buy into the often high cost of PCI compliance. He would not divulge how much the company has spent to meet requirements.
But deployments made to reach compliance reads like a laundry list of the latest automated technology. Since the company attained Level One status, the IT department has extended centralized remote control, patch management, host intrusion prevention and anti-virus and anti-spyware solutions to the stores. In addition, IT pushed out a managed Active Directory service to stores for use by employees logging into point-of-sale systems.
Ready for the deadlines
Meanwhile, Steak n Shake established partner policies and, soon, the corporate network will be further protected through a network access control solution. "We're continually checking to see if things are OK," Smith says. In addition, all stores conduct nightly "batches" in which any credit information is purged from the network and delivered to the company's acquirer, Cincinnati-based Fifth Third Bank.
Smith says the transition to PCI compliance was a bit overwhelming at the start, but has since been relatively seamless. The tallest hurdle was the initial audit. "It was tough to go to every store and get a sampling," he says.
But Smith is ready for September's deadlines. "The security and controls we've put in place enable us to mitigate potential risks as they evolve," he says.
Other firms are not as lucky. Critics of PCI contend that while the standard is said to be prescriptive, it's flawed. Diana Kelley, an analyst for the Burton Group, says in a white paper that a number of customer challenges exist, including cost, legacy constraints and worries over subjectivity of the standard.
Regarding the latter, the PCI Security Standards Council has prepared a questionnaire to determine where the standard needs reform, asking merchants to describe emerging threats, where the standards are unclear and what implementation challenges they face, Pitt says.
According to an April RSA study, encryption presents the largest technology challenge. Legacy systems, though, are the real headache, experts say, especially for more established companies.
"In 1975, businesses did not anticipate online retail," says Steve Preston, director of solutions marketing for RSA. "Applications weren't architected with new business or threat models in mind."
And, PCI compliance does not guarantee security, experts say. For example, Jeremiah Grossman, founder and CTO of Santa Clara, Calif.-based web application firm WhiteHat Security, says that under PCI, scanning vendors check for only two types of vulnerabilities – cross-site scripting and SQL injection. But he says there are some 25 flaws a website may contain. "Merchants might be under the impression that they're safe because the ASV [approved scanning vendor] told them so,'' Grossman says.
The PCI council's technical working group counters that scanning vendors are best at detecting XSS and SQL attacks and noted that merchants are additionally protected through other requirements, such as secure coding of applications, penetration testing and application firewalls.
As a recent Ponemon Institute and Vontu study points out, concern and anxiety are inevitable by-products of any data-loss incident. That is why an increasing number of merchants are viewing PCI compliance as a competitive advantage that can help grow consumer confidence in an increasingly worry-filled world.
"At the end of the day, the PCI standards are really a set of best practices for protecting information," Howell of RSA says. "You could replace the word ‘credit card' with any other data you hold valuable."
PAYMENT CARD INDUSTRY: A roundtable
SC Magazine recently conducted a telephone roundtable discussion with a number of end-users, including retailers and service providers, who deal with the Payment Card Industry Data Security Standard (PCI DSS) on a daily basis. Executives from Visa, broadband service provider MegaPath and network security firm Sourcefire also were on the call.
Here is what they had to say on a wide range of topics related to PCI:
Michael Morgan, The Bankers Bank, Madison, Wis., on implementing the standards: "PCI compliance is a little bit more technical than some of the [other] audits. You involve more end server administrators and corporate security staff."
Mark Urbis, senior director of technical delivery services at Carlson Restaurants Worldwide, Carrollton, Texas, on how PCI does not guarantee security: "You're still at risk. There's still that chance you've had an employee who has gone bad and who's going to look at that [credit] card and jot something down."
Steve Johnson, vice president of information systems at restaurant operator Champps Entertainment, Littleton, Colo., on applying PCI to other mandates: "Us being a public company, we really wrapped a lot of PCI testing into the SOX (Sarbanes-Oxley) evaluation."
Johnson, on merchant relationships with acquiring banks: "It would be nice to have a commitment from them, saying ‘Here's where you are, you're on the right track.'"
Jeremiah Cruit-Salzberg, security architect of Minneapolis-based consulting firm Fair Isaac, on the benefits of compliance: "[PCI is] a good roadmap to get to security. It's a good one to follow if you're forced to follow one."
Eduardo Perez, vice president of payment system risk at Visa USA, on the payment industry's main concern: "For us, the biggest vulnerability is merchants who continue to store track data."
Don Vietti, CIO of Carlson Restaurants Worldwide, on if PCI-compliant businesses were free from any penalties in the event of a breach: "There may be faster adoption. Today I think all of the penalties are more of the stick than the carrot."
— Dan Kaplan