When it comes to data security, all retailers need to be prepared for the worst scenario, but that can’t happen if they aren’t aware of PCI requirements and the severe consequences that can result from a data breach.
By John Lofstock, Editor
When security breaches make the news, the typical victims are retailing giants, such as Marshalls, or major organizations, like Nasdaq. Seeing hackers go after big targets can be consoling to small retailers with limited IT resources, but that’s a false sense of security, according to Gray Taylor, executive director of the NACS-affiliated Petroleum and Convenience Alliance for Technical Standards (PCATS).
Today’s hacker is no longer the stereotypical teenager with a high I.Q. and time on his hands. More likely, the hacker is a member of a Central European crime gang living in the U.S. “These guys are coming in with H1 or H2 student visas,” Taylor said. “Rather than working at the student union, they’re being used as mules. They’re opening bank accounts, installing skimmers feeding card data back to these gangs and using stolen cards to buy high-end merchandise.”
When hackers run up against businesses with sophisticated information technology (IT) and up-to-date security, they’ll turn to easier systems, including those of small non-profit agencies and family businesses.
Those organizations can be an easy target for data thieves, said Taylor. “We’ve got 92,000 individual site operators (in the convenience store industry),” he said. “We’ve got a lot of single store operators who know how to turn on a PC, and that’s it.”
Battling the problem continues, and the solutions—current and potential—are controversial.
Compliant, Yet Breached
Efforts to mandate computer security for all businesses go back to the formation of the Payment Card Industry (PCI) Security Standards Council in 2006. PCI was created by five global payment brands to establish standards for businesses that accept cards as a form of payment.
Meeting and maintaining PCI standards has required retailers to invest in costly technology and confirm compliance by underwriting expensive audits. Businesses that fail to comply and suffer a security breach may be heavily fined by PCI.
Despite the mandates, PCI compliance can’t guarantee that security breaches won’t occur, noted Trinette Huber, manager of information privacy and security for PCI compliance for the 2,700-store Sinclair Oil Corp. based in Salt Lake City. “PCI has been an expensive Band-Aid,” she said. “Everyone was focusing on checking off the boxes, and that takes a lot of money and you don’t get any payout on it. If you have a breach, you own the problem. We are more interested in getting rid of the problem.”
Huber is concerned that a retailer can be fully PCI compliant, be breached and held responsible like a non-compliant business. “As a merchant, I can go through all the steps to do this and do it in good faith, and yet if I have a breach—which is entirely possible—the PCI council will say I wasn’t literally compliant,” she said.
“(PCI) is asking thousands of merchants to do something (the credit card companies) should be doing themselves. They should be fixing the magnetic stripe (in credit/debit cards) so it’s not something that can be easily stolen, instead of asking merchants to fix (the security issues) for them,” Huber added.
The Next Big Thing
How-to instructions for collecting magnetic-stripe data can be found on the Internet, making it simple chore for even amateur hackers. Currently, efforts to move away from magnetic-stripe technology are in the works. Late last year, Visa announced that Europay MasterCard Visa (EMV) will become the standard payment technology in the U.S. market. Also known as Chip and PIN technology, EMV cards reply on an internal chip as opposed to a magnetic stripe. Consumers are required to use a personal identification number (PIN) at the time of transaction.
EMV will improve security, but a typical convenience store will spend about $20,000 updating inside and outside credit card terminals to EMV standards, Huber said. In addition, the 20-year-old technology already has known deficiencies, such as no security for online use.
“When EMV was first available in Europe, which is where it first came out, fraud went way, way down in a face-to-face environment,” said Bob Russo, general manager, PCI Security Standards Council. “Immediately people said ‘this is what we need, and we don’t need anything else.’ But over the years, they found EMV by itself was not enough. In a face-to-face environment, it works. In a card-not-present environment or over the Internet, it really doesn’t work.”
According to Visa, EMV will be widely available in the U.S by 2017, but some think that forecast is overly ambitious. “I worked on the UK and Canadian implementations (of EMV), and both of those took close to 15 years,” said Taylor. “But you have to also consider that the U.S. has more points of sale than Canada has Canadians.”
A newer technology, point-to-point encryption (P2PE) ensures that credit and debit card data is protected from the initial card swipe and all the way to the payment processor.
“End-to-end encryption completely eliminates the need for the retailer to secure customers’ magnetic-stripe data because the retailer never has possession of it,” said Jeremie Myhren, senior director of information technology at Rockford, Ill.-based Road Ranger LLC, with more than 80 Midwest stores. “Of course the retailer will want to follow many of the requirements laid out by the PCI Standards Counsel. Many of them are things we should be doing anyway. However, we will no longer need to worry about some of the very specific requirements that are in place to protect our customers’ magnetic-stripe information, such as network segmentation, and the like.”
P2PE gives merchants more flexibility in designing and implementing a technology infrastructure and can help reduce costs currently incurred in order to be compliant. “At the end of the day, it mitigates the need for a retailer to undergo a costly and time-consuming audit for PCI purposes,” Myhren added.
Versions of the technology are available today, with Walmart and Kroger as early adopters. “To me P2PE is the piece de résistance,” said Taylor. “You can get a proprietary product today for in-store POS. I think within a year we’ll have a good standard for dispensers and within two years we’ll actually have products you can use.”
PCATS and PCI are preparing standards for P2PE. While P2PE will be a major advancement in security, Russo believes compliance with PCI standards will still be necessary.
Cisero’s And PCI: See You In Court
The owners of a Utah restaurant called Cisero’s are suing the U.S. Bank and Elavon, the bank’s parent company, over PCI compliance fines. In 2008, Visa notified U.S. Bank that Cisero’s security network might have been compromised after some cards used at the restaurant were also used for fraudulent transactions. Visa and MasterCard fined U.S. Bank, alleging that Cisero’s had failed to secure its network. U.S. Bank seized about $10,000 from the restaurant’s account to pay a portion of the fines and then sued the owners to obtain the balance—about $80,000.
In a counter suit, the owners claim the bank and the payment card industry—through PCI—force merchants to sign one-sided contracts based on information that changes without notice and that merchants are fined with no chance to dispute the claims before funds are seized. They charge that the PCI system is less about securing card data than it is about collecting fines and boosting profits for credit card companies.
“This is going to be a benchmark decision,” said Gray Taylor, executive director of the Petroleum and Convenience Alliance for Technical Standards. “All of the things necessary for a good lawsuit (to challenge PCI) are in place for the first time.”