Desired state: Retailers get compliant with PCI
Regis Retail Outlet
Whether online or brick-and-mortar, retailers are challenged with securing the integrity of their payment systems to meet regulatory mandates, reports Greg Masters.
Technology is not the first term that comes to mind when thinking about a hair cut. But for hair salon operator Regis Corporation the behind-the-scenes technology of its business became a significant concern.
With revenues exceeding $2.5 billion, the Edna, Minn.-based enterprise, which operates more than 13,500 hair salons throughout the world under such trade names as Regis Salons, MasterCuts, Supercuts and Sassoon, wanted to ensure that when its customers came to the registers to pay up for their treatments, that the experience of running the credit cards was as smooth as could be.
“Protecting customer loyalty and credit card data is essential to ensure a positive customer experience,” says Bernie Rominski (left), IT security officer at Regis Corporation. The company was also concerned with avoiding extra fees from the card brands for failing to meet their requirements, says Rominski.
“When we originally built our IT structure, we didn't architect it for security,” he admits. But with compliance requirements, the need to communicate across the business, and cost-cutting incentives, the system was redesigned.
“If we're not compliant, we'll see less discounts. This was not a tough case to make to the higher-ups,” he says. “Anything to keep the business out of the papers.”
But, solutions need to be simple, he says. “Embracing PCI-DSS as a complement to our IT security best practices enables us to drive organization-wide awareness of the value of our overall IT security program and the impact that it has on the health of our business.”
But compliance to the PCI mandates is not enough. “There are different risks,” he says. “The risk of non-compliance, for one. There's also the risk from data compromise and the less quantifiable damage to the image of the brand.
“Being PCI compliant won't necessarily help us prevent a credit card compromise,” says Rominski, “but complying with PCI standards puts you in a better position.
There's a caveat, though. “It doesn't thoroughly address all your risk,” he adds. “PCI compliance is just a snapshot. Assuming that you are safe because you take preventative measures makes you weaker – you must take action to be a step ahead of those who are constantly looking to exploit holes in your network.”
Regis considered a number of log and event management solutions to help with its PCI needs. Rominski's staff already had experience with a traditional security event management application, but found it lacking as far as providing the functionality they needed for log and event management. They also considered outsourcing this function, but Rominski was concerned about the risk.
The team found a solution with LogRhythm. Rominski says what drove his team to the selection was the tool's ability to provide comprehensive out-of-the-box log collection, analysis, correlation, real-time monitoring and reporting for Regis' diverse heterogeneous environment.
“LogRhythm underpins an ongoing operational approach that allows our staff to be experts on our own systems. We understand the user and network behavior and can quickly identify anomalies and take appropriate actions," he says.
LogRhythm not only collects all of this data, it provides real-time data analysis to quickly identify meaningful events and incidents, he adds.
“The security team at Regis found an immediate benefit with the out-of the- box “canned” alarms provided by the LogRhythm solution."
Challenges for retailers
Online and physical retailers will continue to face external and internal security challenges, say industry observers. “We expect to see increased insider threats and increased data security specific threats,” says Chenxi Wang (left), principal analyst, Forrester.
PCI is a must, she says, but it doesn't mean meeting PCI guarantees a secure system. “Hannaford Bros was said to have passed their PCI auditing before the big data breach happened,” she points out.
IT security personnel must demonstrate business values to investment in data security technologies, however. This can be done through risk assessment and analysis. “One of the most valuable weapons is bringing in a vulnerability scanning technology or penetration testing technology to demonstrate how vulnerable they really are. This can get the attention of the executives,” she says.
The first challenge that retailers face is recognizing that the risk is real, and everyone handling credit card transactions is a target – no matter what size the organization is, says Michael Maloof, CTO at TriGeo. “Once you accept the responsibility of risk, you must assess the risk and evaluate who, where, when and how sensitive data is accessed on your network. Then you need to lock the network down, and then watch it like a hawk because, in spite of your best efforts, there's no substitute for vigilance.”
Maloof explains that the pattern emerging from many of these breaches is that the attacker establishes a beachhead inside the network. The initial network penetration is often the result of negligence, like weak wireless security, remote access points being used by vendors and contractors that employ weak or default passwords, or employees that are tricked into clicking on links or email attachments. Once inside the network, there are often few defenses and virtually no monitoring, so the attacker has plenty of time to sniff the network, create privileged accounts, and skim every credit card transaction being processed.
Mike Romano (right), EVP and co-founder of SmartReply, an Irvine, Calif.-based text messaging company, says larger retailers are challenged by multiple POS systems that don't have a uniform platform – so data is not fed into one database.
“New POS systems have great functionality, but retailers need better data and processing functionality,” he says. If retailers don't have customers' addresses and cell phone numbers, they are losing out on the opportunity to communicate with that customer, he adds.
The key lies with the POS system. Grocery stores, he says, have been ahead of the game with loyalty cards, but specialty and apparel retailers have not yet made the investment in POS systems. “You need a good POS system to capture data, and with the economy slugglish, this can be a problem,” Romano says.
But, in these laggard times, retailers are reluctant to spend money, Romano says. It takes an incident like TJX, and even then, there's no guarantee that compliance to PCI will ensure protection. “It at least diminishes the risk of their systems being violated,” he says.
Retailers have a giant bulls-eye on their backs, and they know it, says Tom Murphy (left), chief strategist at Bit9, Waltham, Mass., which specializes in enterprise application whitelisting. The loss of customer data from a retail breach is becoming an all-too-common headline these days, he says.
“Kiosks and other retail machines are a goldmine for malicious hackers,” he says. “Slip one piece of malware past the security (or the cashier behind the counter) and you could get a snapshot of every credit card number that runs through it.”
If these machines use signature-based protection, which is reactive, then they protect against known malware. But there are problems with that approach, he points out.
What about unknown malware? Is it OK for these machines to be vulnerable while new rootkits and virus are discovered, analyzed and patched, he asks.
And what about targeted attacks -- malware that has not been released into the wild and does not have a signature created by existing security defenses. “What if it is designed by a criminal organization to target one specific network? The common signature-based protection does not protect against these attacks, since nobody will pattern-match that malware until long after it's discovered and the damage is done.”
The industry needs to become proactive about malware protection and assert control over what applications are permitted to run in environments dealing with customer data, says Murphy. “We believe that application whitelisting addresses these concerns. You deploy it, you configure it to run the programs that you want, and then you leave it alone. No more scrambling for patches or time-consuming scanning of systems (since the need to do time sensitive transactions) for unknown applications that could be good, bad, or are just simply unauthorized.
Many retailers have already addressed the first level of securing their credit systems and networks – by implementing firewalls, host AV, IDS/IPS, and even log management and SIEM, says Phil Neray (right), VP of security strategy at Guardium.
“Now they need to go to the next step, moving beyond perimeter security to address data-level security, so they can deal with both insider threats and the next wave of more sophisticated external threats.”
For example, retailers need to continuously monitor, in real-time, all access to sensitive data in their data centers, so they can quickly identify unauthorized access from privileged insiders, Neray says.
“Real-time activity monitoring will also allow them to immediately identify anomalous access by criminals who may have compromised their web and application servers. Most retailers are not currently doing this.”
From a non-technical aspect, being able to protect information has come to the forefront, says Frank Hayes (left), VP of marketing, NitroSecurity, which counts nutritional supplement retailer GNC among its customers. But, he points out that many companies are worried about following compliance and they are expressing anxiety about the costs in corporate image and brand.
“The biggest concern from a technical level is how to implement various processes and programs without increasing budget,” he says. Big breaches, like TJX and Heartland, go a long way to opening people's eyes, he adds, but budgets don't look like they're increasing. “The challenge is finding the right types of protection.”
Forensic analysis have revealed that inadequately secured wireless networks are one of the main entry points for hackers to get to cardholder data, says Manav Khurana (right), head of industry marketing, Aruba, which works with many retail customers.
Retailers need to know where there is a wireless network, he says. It is very hard for IT to identify when and where a new wireless device (known as Rogue AP in computer networking terms) has been accidentally introduced – often for convenience – or maliciously introduced – by a hacker who gained physical access to the store and plugged in a wireless device into an available network port.
“Everyone understands that securing the cardholder environment from the wireless LAN is necessary,” says Khurana. “The challenge is the costs to do so.”
This is owing partly to the fact that most retail organizations are running on legacy systems that need a hardware replacement to get to the latest security technologies and partly due to the sheer multiplier factor to stores, implementing security can have a big price tag.
The basic challenge is that retailers are not in the business of processing card payments, says Avivah Litan (left), vice president and distinguished analyst in Gartner Research.
“They are in the business of making sales. Over the past few years however, they have had to take most of the responsibility for card security since the systems put in place over the past 30 years are inherently insecure, and the banks are relying on the retailers and processors to tighten up the holes that were designed into the system.”
Is PCI compliance enough?
PCI compliance is just the entry stakes to get into the data security game, says Neray. “As recent breaches have clearly shown, it doesn't mean you're going to win against the bad guys, because you really have to take a more strategic view and address people and processes, as well as new monitoring technologies. PCI compliance is just a snapshot in time. To win the game, you need to have continuous data-level protection, with application-aware monitoring and analytics, rather than just handing your PCI assessor a thick stack of historical access logs.”
PCI DSS is the best set of standards out there, in that they are effective at preventing most data breaches when properly adhered to, and the standards are attainable for the vast majority of retailers, says Bit9's Murphy. “But, we are still seeing far too many organizations that have not properly complied with these requirements. Some organizations think they're PCI compliant, but actually have software running on their systems that they do not even know about. These unknown applications do not need to be malicious in nature, but an instant messaging program or an old version of a music-sharing program can be the “hook” hackers need to compromise the network.”
Gartner's Litan agrees that compliance to PCI and other mandates is not enough for retailers to ensure data security. “There have been breaches against companies who were certified PCI compliant. The PCI standard and its assessment process both need strengthening.”
The Heartland, TJX and a host of other record-setting breaches, clearly demonstrates that compliant does not mean secure, says TriGeo's Maloof. “It is true that PCI and most other mandates are based on sound security principals, and that's why we encourage companies to focus on ‘security first,' knowing that compliance will follow.
Unfortunately, he adds, there has been a trend among executive teams to pursue ‘checkbox compliance,' only doing what is necessary to pass the audit. “Naturally, the short-sightedness of the “checkbox compliance” approach means that IT teams are ill-equipped, underfunded and frankly doomed to failure.”
Judging by the number of active projects and available budgets, security for PCI compliance is definitely a top of mind issue, at least in North America and to a growing degree in Europe and Asia, says Khurana. “The incentives to comply and penalties for non-compliance have triggered an interesting new approach that CIOs are taking to ensure data security. In fact, leading retailers have shown that the goal is to prevent breaches, not PCI compliance – which, depending on details of how networks are architected, can be two different goals.”
It's no secret that dissemination of malware is exploding and the cost of a data breaches is continuing to rise. Some estimates place the cost of every customer record compromised at $202 to deal with (including legal costs, investigation expenses, etc.), and in 2008, the total cost of data breaches was $1 trillion.
“But it's so hard to quantify the damage done to a customer's perception of your brand, says Murphy. “Fear of compromised financial information is a powerful force, and if the average shoppers do not think their credit cards are safe, they may go somewhere else.”
With the recent breaches in the news, it shouldn't be too hard of a sell to higher-ups, he adds.
It's a balancing act between security and expense, especially lately with profitability way down and retailers looking to reduce costs, says Ed Killeen (left), VP of professionl services, Rapid7.
“Customers need to get by with less, but they put themselves at risk,” Killeen says. “It's a constant battle. We've seen that they have a requirement to meet PCI compliance, but many don't understand what that entails. Plus, they often don't have the security personnel.”
So, he says, many potential customers approach his company looking for one-stop compliance needs. “They know what they should do and what they can afford to do.”
The advantage is that PCI requirements are comprehensive, he says. There's interpretation, but much more from a technical nature. The requirements are getting more demanding. Retailers, for example, must now include external pen testing and an annual internal pen test.
Nothing is going to protect everything, Killeen admits. “You can't get a shell around your environment that's 100 percent secure. Threats are changing all the time, what was secure yesterday, is not necessarily secure today. But, companies can reach a desired state.”
Killeen has high praise for the efforts of the PCI Council. “The PCI Council has done a lot to clean up the guidelines around the self-assessment questionnaire.”
It's difficult at this stage, says Litan. “Funds are extraordinarily tight at retail firms. Spending lots of money on PCI compliance hasn't stopped the criminals from penetrating firms who are certified PCI compliant, and hasn't stopped the banks and card companies from fining them when there is a breach. So retail executives may be highly cynical about spending money on data security at this stage. Of course they have an obligation to protect customer data, and hopefully they will take reasonable steps to do so.”
We have seen our customers use two justifications successfully to get the business to fund data security projects, says Khurana. “Quantify the costs of security. This includes the costs of non-compliance – higher interchange fees, fines, and costs of recovering from a breach – fines, quarterly audits, brand damage. Also, quantify the side-benefits of upgrading to a multipurpose infrastructure.”
Solutions to meet compliance demands
There is no shortage of technology solutions, says Litan. The trick is spending money effectively when there are so many choices.
There's no shortage of products promising PCI compliance, or ‘compliance made easy,' but the key is to focus on real-time monitoring, analysis and response, says TriGeo's Maloof . “Many compliance products are simply log aggregation and reporting tools, and while they may help you pass an audit, they don't actually secure your network. Let's remember the real aim of mandates like PCI is prevention, so a forensic tool can be useful but it's simply not designed to actively defend the network.”
The key to data theft prevention is to gain an enterprise-wide perspective of the activity on your network and combine that with the ability to correlate who is doing what, from where, and when, says Maloof.
“Armed with the ability to correlate events with network activity, you can be alerted if a new admin-level account is created at 3 a.m. You'll also know if the account that was created at 3 a.m. subsequently installs a variety of applications. The key is to find out that anomalous activity is taking place while it's happening -- while there's still time to respond, and long before the Secret Service calls to say that you've been identified as the point of origin for a credit card scam.”
If you do a thorough job securing your sensitive data, then you will be compliant, says Neray.
“The trick is proving compliance with granular reporting, tamper-proof audit trails and well-defined sign-off processes, while at the same time reducing operational costs by centralizing and automating your compliance controls,” he says.
Many organizations are still creating compliance reports with manual approaches – hiring people or writing homegrown scripts to comb through database logs looking for anomalous activity, Neray points out. “Not only is this extremely ineffective, but it also increases IT costs and complexity at a time when everyone is looking to reduce them. And to make matters even worse, every DBMS platform is different, so you have to implement different tools and processes for Oracle, SQL Server, DB2, etc. There are automated solutions out there that can make this entire process much more effective and efficient, while also reducing complexity by providing a single set of centralized policies and audit trails for all your DBMS platforms and applications.”
Patrick McGregor (left), CEO and founder of Pittsburgh-based BitArmor, says that from the perspective of CxOs, tracking down data on networks is a gargantuan task.
“We offer an integrated data protection software solution that allows retailers to add Smart Tags that encrypt data wherever it goes across the entire chain.” He claims this approach is fundamentally different from those of his competitors. “We provide a data-centric alternative with a single piece of software.”
“A network is only as strong as its weakest link, and we have found that hackers often target the wireless network, which is a back door to the entire network,” says Asa Holmstrom, president of Columbitech. “Data breaches damage retailers' reputations and can incur excessive costs at the expense of the company. They should be prioritized to be avoided in advance. Retailers must consider that they won't be fully protected unless both wired and wireless environments are secure, including all mobile devices and POS access points.”
Many vendors pitch their single solution offerings and tell people this solves compliance, says Eric Knapp (right), director of product marketing, NitroSecurity. “But, in fact, this only solves part of compliance,” he says. “Two components are necessary: to protect customers' card data, and to prove that you did it. Log management does the second part, collects logs and stores them, but the information is not there.”
Also, PCI calls out firewall, intrusion prevention devices and there's a requirement to track who accesses data. So a database monitoring solution is required, says Knapp.
Federal data breach law
Anytime you have multiple regulations that vary from state to state, you create a difficult environment, says SmartReply's Romano.
The intent is to protect consumers, but there are different rules and regulations, and with most retailers operating in multiple states, this makes it too difficult and too pricey, he says.
Try to find the common denominator where you can adhere to regulations, says Romano. “There should be some type of federal regulation that retailers can adhere to in regards to PCI compliance, rather than making them adhere to 50 different regulations.”
State laws are encouraging companies to begin to see what BitArmor's McGregor calls v2.0 of data protection law, like those passed recently in Nevada and Massachusetts, demanding that companies encrypt data, particularly data in transit.
“We would expect that other states will pass similar laws to protect data in transit, as well as mobile devices, like laptops and USB sticks.”
Given a new administration, it's possible to see at the federal level a law will be passed to make companies encrypt any type of data if it is exposed to a breach, McGregor adds.
“Companies need to start thinking of locking down data holistically, and encrypt data the moment it is created, and guarantee that it remains protected for its lifetime,” he says. In other words, lock down the data itself, rather than the devices where the data resides.
There may eventually have to be a federal law for certain types of interstate commerce, agrees NitroSecurity's Hayes. “Compliance is too difficult to meet on a state-by-state basis. PCI is intended to get you there.”
Whether we see a federal data breach law will take a while to work its way through the courts, says Regis Corps.' Rominski. The card brands are actively trying to help prevent the feds from getting involved, he contends. For its part, Regis has to maintain a library of each state's laws. A federal law might be an improvement, he says.
“Having a more consistent set of standards would probably make things easier in the event of an incident. But, things could go overboard if the feds get involved
Q&A: Help for retailers
Troy Leach, technical director, PCI Security Standards Council, answered some questions posed by SC Magazine.
How does PCI help retailers?
The PCI Data Security Standard provides a framework of comprehensive security requirements that help an organization get and stay secure. For example as a first step, the PCI Data Security Standard (DSS) helps retailers to identify where sensitive information, such as payment cardholder data, exists in their network. Prior to the standard, some retailers were unaware of all the system components that had access to sensitive data, or were retaining that information with no business value to do so.
What are the challenges retailers face with their credit systems and computer networks?
One challenge is in the approach to data security. Many retailers view compliance with PCI as the finish line rather than an ongoing regime. Security or "compliance" of security requirements is not an annual event but a daily activity. Protecting cardholder data should be an ongoing goal of any organization, not a checkbox to meet validation of compliance.
Are there solutions out there to help retailers meet compliance demands, as well as protect their databases and electronic transmission of data?
There is no silver bullet or one-stop shop product for compliance with PCI standards. No solution, by itself, can meet PCI requirements without first evaluating the cardholder data environment and how the solution should be implemented to meet the intent of the requirement.
While the Council does not endorse any specific product, we continuously review opportunities to reduce the effort of retailers while improving security. As evidence, we currently have posted a request for proposals regarding emerging technologies. Also, the Council manages a standard focused on secure payment applications, called the Payment Application Data Security Standard (PA-DSS), and maintain a list of approved applications that may help retailers conform to certain parts of the overall DSS. This helps to reduce the effort by retailers, but purchasing a PA-DSS solution is not enough. They still need to validate that the application is configured appropriately for their environment as detailed in the implementation guide documentation required of each PA-DSS application.
Is compliance to PCI and other mandates enough for retailers to ensure data security?
Retailers must strive to comply daily with the PCI DSS requirements rather than assuming an annual validation or checkup will be adequate protection and ensure ongoing security.
Can IT personnel at retail companies persuade higher-ups to fund data security needs?
I think they can. Even in this environment. Defining the return on security investments can sometimes be a daunting task for IT security professionals not familiar with presenting a business case. I've seen opportunities where the security needs overlapped with re-engineering projects or data discovery initiatives, which helped to pave the way for the organization to improve both efficiency and security in the same project. The key is to demonstrate the organizational need and benefits, such as cost saving over time.
Retail solutions: Protect the databaseA number of different technologies can help retailers meet compliance needs and secure their data.
Web application firewall: especially important for those who do online retail. A WAF can help them defend against bad input and secure unintentional data leaks.
Vulnerability management technologies: these technologies can help retailers scan their network and applications to discover potential security vulnerabilities, which can be exploited potentially for data theft.
Encryption technologies: for both data at rest and data in transit.
DLP: While full-blown DLP deployments are still rare, companies ought to be considering DLP technologies to protect against insider threats, especially in this environment.
Lastly but not the least: employ application security technologies to secure your applications from vulnerabilities during development, instead of fixing it in production.
– Chenxi Wang, principal analyst, Forrester
On the fly: Mobile compliance
Retailers are always on the look out for new and innovative ways to reach customers. The advent of the cell phone and mobile devices have opened a new avenue for them and the marketers they hire to communicate with customers.
In fact, mobile advertising spending increased to nearly $2.7 billion worldwide in 2008, according to market research firm eMarketer.
But, despite the new opportunities presented by this technological advance in reaching retail customers, one such marketer, SmartReply, faces a particular challenge: meeting compliance requirements. Commercial text messaging is regulated under federal law with the TCPA (Telephone Consumer Protection Act) and CAN SPAM (Controlling the Assault on Non-Solicited Pornography and Marketing Act).
Requiring its customer to opt in is an expression of prior authorization, says Scott Springer, VP, strategic services group, SmartReply.
A customer has the option to either accept or decline the text messaging service, he says. “It is expected that this technology will be received well based on the fact that most email submissions require a similar verification after the initial entry.”