Convenience store operators must stop treating the need for compliance as a nuisance. It is a complex part of the business that must be faced head on.
By Pat Pape, Contributing Editor.
Just one month ago, Chase, the second-largest U.S. bank, plus a host of other well-known businesses, notified customers that their e-mail addresses had been compromised after a hacker penetrated the database of Epsilon, a vendor of e-mail marketing services.
Despite the security breach, Chase assured customers that no financial data had been lost and warned them to watch for phishing—or scam emails—from hackers trying to steal private information, such as passwords or account data.
The Chase incident is sure to make smaller businesses with far fewer resources feel vulnerable, but according to Bob Russo, general manager, Payment Card Industry (PCI) Security Standards Council, most retailers have been making significant strides toward preventing such violations.
“Anecdotal evidence suggests that we are seeing a huge swing in momentum in the adoption of the PCI standards by all organizations,” Russo said. “We see in reports from third parties that retail adoption is increasing and that payment card fraud levels are dropping to near record lows. Really, many of the bad guys are simply looking for the biggest or most easily penetrated networks. By having your resources and defenses in place, you can provide enough protection to dissuade all but the most determined of the bad guys.”
Aware and Prepared
When it comes to data security, all retailers need to be prepared for the worst scenario, but that can’t happen if they aren’t aware of PCI requirements and the severe consequences that can result from a data breach. Recently, the National Retail Federation and First Data Corp., a provider of electronic commerce and payment processing, released results from a survey of small- to mid-sized retailers, most with annual sales below $100,000.
An overwhelming majority (86%) said they want to ensure that their customers’ data is secure because credit and debit card security is vital to their business. However, almost two-thirds (64%) of respondents believed that their systems were not vulnerable to hackers, and 60% were not aware that credit card companies can require them to pay a fine for each card that must be canceled if their business is the source of a breach.
According to research conducted by the Ponemon Institute, a privacy and information management research firm, the most expensive data breach situation in 2009 cost the company involved nearly $31 million to resolve, while the least expensive data breach reported in the same study cost the breached company $750,000.
With so much at stake, most leaders in the convenience industry are convinced that PCI standards have been good for business, despite the demands and the deadlines they have generated. One of those is Todd Harrison, director of application support for the 65-store plus Spinx convenience store chain the Carolinas, who feels that PCI standards benefit retailers as well as their customers.
“Over the past couple of years, it has made our industry more cognizant of the potential threats and hazards of network security overall,” Harrison said. “Our company has made several changes, and we continue to make changes to our network structure, hardware, overall system security, and tracking access to protect ourselves and our customers. We have installed software related to system logging and alerting, as well as tightened physical security.”
PCI has resulted in added work and expenses for retailers, but many believe the investment is paying off.
“Everyone in our industry grumbles about PCI because it requires resources and software,” said Jenny Bullard, chief information officer at Flash Foods Inc., the Waycross, Ga.-retailer with more than 170 locations. “I think our industry is in better shape than it was three or four years ago. We just need to embrace PCI. The end result is that it has made us more secure overall.”
Better All-aRound Systems
For many operators, the emphasis on upgrading technology to support PCI has resulted in systemwide enhancements that go beyond strengthening data security. For Garb-Ko, the Saginaw, Mich., retailer that operates 85 7-Eleven stores, a new monitoring solution improves data protection, while providing round-the-clock monitoring of all network components, from gas pumps to POS registers to credit card interfaces.
Created by Paessler, a German software provider, PRTG Network Monitor has helped Garb-Ko to reduce troubleshooting time by more than 50% and prevent lost revenues. According to Jason Lee, systems and security administrator for the company, a single store could lose several hundred dollars in sales if the network were down for even half an hour. Multiply that by 85 outlets and the value of the software investment is clear.
“PRTG has a feature called Unusual Detection that knows if a monitored node has unusual changes in patterns,” Lee said. “PRTG Network Monitor will notify me if a network device has unusually high or unusually low network traffic, which can indicate the possibility that a DOS (Denial of Service) attack is occurring, or that something else has happened, and I need to investigate.”
Finding the most efficient and cost-effective technologies can be a daunting task, no matter the size of the operation, and Russo is quick to recommend comparison shopping. “Find the (vendors) that suit your needs and choose the most affordable solutions that have been PCI approved and are listed on our Website,” he said. “Work with your acquiring bank to help find the right choice for your business. Always ask your vendors if the solution they are suggesting is PCI compliant.”
C-store operators with questions can visit the PCI Website at pcisecuritystandards.org. There also is a microsite for small merchants, with resources tailored to meet their specific needs. In addition, the PCI Website describes awareness training opportunities that will provide store operators with a basic overview of the standards and what steps they are required to take.
Countdown to 2012
Store operators who have yet to begin implementing the latest version of the PCI standards can procrastinate no longer, Russo warned.
“After January 1, 2012 all assessments must be completed against the new standard,” Russo said. “There are several important changes in the newest version of the standard which you have to understand and make plans to implement. These include an increased focus on scoping, logging and prioritizing your risks.”
Failure to comply with the standards could result in significant fines for store owners and the possible cancellation of credit and debit card processing privileges.
“The standards don’t just materialize out of thin air. They are the product of the real-world experiences of all of our community. We rely on retailer feedback and implementations to ensure that they are as effective as they can possibly be,” Russo added.
“The message is this: If you haven’t started yet, you still have time,” Russo said. “But you have got to move before January 2012.”