Successful Strategies for Security Initiatives

Billions are spent every year building loyalty. Advertising, brand management, marketing, customer relations and public relations all play a part in convincing customers to stay faithful.

What if all that hard-earned loyalty were to disappear one day— and simultaneously cost the retailer millions in lost revenue, fines and potential lawsuits? This is not a hypothetical situation. This is the reality of a world where the next multi-million-dollar data security breach is just a clever hacker or careless employee away. A data breach can negatively impact a retailer’s reputation, decreasing customer loyalty and ultimately, the bottom line.

Preventing a security breach requires securing sensitive data—especially credit card numbers—and keeping abreast of all changes to the Payment Card Industry Data Security Standard (PCI DSS). It is important to note that becoming compliant does not guarantee your company’s data is secure. While you may still have work to do in order to secure your data, becoming PCI compliant is a great first step.

The PCI Security Standards Council (PCI SSC) develops and implements the Data Security Standard. There have been two releases of the standard, the most recent in Sept. 2006. In the past, the Data Security Standard has always been open to interpretation. Companies and their auditors would review the requirements, interpret their meaning and do what they thought necessary.

Until the retailer filed a Report on Compliance (ROC) to the credit card brands for approval, they were not certain whether they had correctly interpreted the requirements. Much of the burden of expertise prior to approval came down to the knowledge of the auditors and their experience submitting reports for other clients. It was hit or miss.

This February, the PCI Security Standards Council published supplementary materials to assist retailers and auditors with interpreting the requirements.

The supplementary materials include a document listing each requirement and its intent. The Self Assessment Questionnaire (SAQ) has also been revised and now includes five validation categories that lead merchants to four different questionnaires based on the tier and type of business.

The latest release of the Data Security Standard includes multiple updates, such as requiring that all cardholder name, service code and expiration data stored in conjunction with credit card number must be encrypted. Also, all “keys”—a.k.a. the passwords needed to encrypt and decrypt the data—must be rotated at least annually.

The standards regarding compensating controls were also refined. Compensating controls are temporary fixes created to meet a specific requirement of the PCI DSS. These are used when it is too difficult to meet the requirement in the manner recommended. Compensating controls are not intended to be permanent solutions. The standard specifies that “only companies that have undertaken a risk analysis and have legitimate technological or documented business constraints can consider the use of compensating controls to achieve compliance.”

The most recent change to the PCI standard includes the addition of the Payment Application Data Security Standard (PA-DSS). This program was formerly managed by VISA Inc. and called Payment Application Best Practices (PABP). In April, the Council took over the management of the PABP and renamed it. The PA-DSS focuses on point-of-sale (POS) devices and ensures that these applications comply to the standards defined by the standard. One of the resulting requirements is that the magnetic stripe on the back of the credit cards can no longer be stored anywhere, even if it is encrypted.

In addition to staying up to date on all changes to the standard, and adjusting their security measures accordingly, retailers also need to be aware of other data security best practices, since compliance and security are not the same thing. One area of data vulnerability is the movement of sensitive data. PCI DSS covers securing data when it is stored, but it is important to secure data at all times, including when it is being transmitted such as from a point-of-sale device to a server for storage.

A recent data breach at the Hannaford Brothers grocery chain illustrates that security diligence goes beyond becoming PCI compliant. Hannaford Brothers was PCI compliant, yet a breach still occurred. It appears that the data was intercepted when it was being sent from a secure POS terminal during checkout.

Data security doesn’t end with compliance and it is crucial to a retailer’s reputation and bottom line to secure sensitive data at rest and in transit.

Gary Palgon ([email protected]) is vice president of product management for Atlanta-based nuBridges.