From PCI compliance to loyalty programs, ensuring customers that their private information is secure and being used appropriately is essential in gaining their trust.
By Howard Riell, Associate Editor.
Consumers trust retailers with vital personal information every day. For their sake—and yours—protect it. It’s not as hard as some may fear.
There are some basic things convenience store retailers need to do when evaluating their security standards, explained Russ Lauria, president and CEO of ITC Security Consultants, which specializes in retail data security. “One of the most important steps retailers can take is to conduct periodic risk assessments and analyze how the data they are collecting is passed on to other financial institutions or stored for future use,” he said.
Also critical is the need to restrict who has access to the information. “If you give everybody access to the information, you have too many fingers in the pie,” Lauria said.
The overall strategy doesn’t need to be ingenious, but merely workable. “As long as companies devise some robust security plans for the collecting of their data, then everything should be fine,” Lauria said. “Unfortunately, not everybody buys into that concept.”
Furthermore, whether you have two stores or 200 stores, retailers with a basic IT background can protect their information through encrypted software programs and anti-virus programs. “It doesn’t have to be a real complicated thing,” Lauria said. “Most of the time when there are issues it’s because chains haven’t put in any security whatsoever—no firewalls, for example—and then they’re left vulnerable to hackers. That’s the 2012 way of stealing things. It used to be walking in and swiping a candy bar off the shelf. Now it’s through your information technology systems.”
PCI compliance applies to any and all information that retailers gather. Failure to get this right could lead to fines from Visa and MasterCard and, more importantly, could leave you susceptible to an attack.
“With anything you do on a computer, whether it’s with credit cards or other personal information, you have to do your due diligence and do your best to protect that information,” Lauria said. “Whether it’s your own information or clients’ information, you have to do it. The government has seen a rise in online attacks and cases of frauds. That’s the reason it got on board and started instituting different guidelines for companies.”
The retailer’s investment can be as minor as going down to a local store and picking up some good antivirus software, putting it on the computer and keeping it updated. “That’s one of the simplest things they can do,” Lauria said. “Whether it’s your convenience store network or your home computer that is tied into your store back office, have good, up-to-date software installed.”
Plus, restrict the number of people who have access to the network and make sure you have proper passwords in place. “It’s not a real big, complicated procedure, but it can have catastrophic results if you don’t do it properly,” Lauria said.
Self-Inflicted Data Damage
“While the news is full of stories of cyber crimes, data damage for c-stores is most likely to be self-inflicted, with a root cause of employee oversight or, in rare cases, maliciousness,” said Brett Stewart, chief security officer for Acumera Inc. in Austin, Texas. “It’s so easy to forget to change a default password, lose a laptop, forget to make a backup, or to take simple steps to protect from malware, all of which can result in critical data loss or egress.”
Stewart said the best advice he can offer c-store operators is this: “Have, follow and continuously improve a written company data-security policy. This is a requirement under the PCI-DSS for anyone having a cardholder data environment in their stores, but it’s a good idea in any case. If you don’t currently have one, you can likely find one easily.”
A PCI-qualified security assessor is also a good source for a policy that can help you comply with the PCI-DSS.
“A lot of people just simply don’t understand the threats that they face,” said Joe Kurlanski, vice president of Sage Data Security LLC, an information security firm based in Portland, Maine. “They need to get informed. I would say that the tools are more commonly available for people to hack into these systems and, as a result, attacks against point-of-sale systems are happening more often.”
But it’s not just credit card data that needs to be protected. When it comes to loyalty programs, Kurlanski noted, retailers should also be concerned about their back-office systems, making sure that those databases are properly secured.
“That may be tied back to a larger information security program that a convenience store chain would have managing their back-office systems,” he said.
The smaller operators still need to have someone look at their security system and network infrastructure to make sure that they have the proper safeguards in place. A lot of it is also employee training. Easily overlooked, but just as potentially dangerous is having store staffers using the same computer they use for point-of-sale to browse the Internet.
“You get a clerk who is bored during the overnight shift and he starts browsing the Internet,” said Kurlanski. “Suddenly you’ve got a piece of malware on that computer and then the game is over.”
What are the proper safeguards? According to Kurlanski, retailers need to make sure they have a good vulnerability management program. They also need to be testing their systems to ensure they are PCI compliant.
“PCI compliance is going to get them to a point, but they also have to recognize that being PCI compliant isn’t just a moment in time. It is a continual effort. They have to have regular testing. They have to have a regular plan for assuring the compliance of the equipment they’re using,” Kurlanski said. “Having antivirus software installed is important, but don’t overlook employee training. It’s crucial.”
The size of the investment will depend on the size of the existing infrastructure. “Most, if not all, of the hardware an operator needs to invest in will be part of what is already needed as part of PCI compliance,” Kurlanski said. “They need to have a firewall. They have to make sure the firewall is configured properly, and they need to have that tested. Those are all things they have to do as part of their PCI compliance.”
Kurlanski also said convenience store operators must work with their vendors to disable remote access to their POS systems until it is required, and that vendors must change the default usernames and passwords.
“The bad guys are constantly scanning the Internet for remote access to computer systems that are left open by the vendors of the POS systems. This access is usually available for support purposes, so when the store has problems with its POS the vendors can connect, take over the system and troubleshoot the problem,” Kurlanski said.
The problem is the bad guys can take advantage of that access too, and the lists of default credentials that allow access are published on the Internet for multiple systems.
“They have all the time in the world to try hack a system using a technician’s credentials,” Kurlanski said, “so turn it off until you need it.”