Articles

RSS

Continuing the effort to bring the safeguarding of customer data to the forefront of retailers' discussion, RSAG hosted a half-day PCI Compliance Workshop during ERIeXhange. While the event brought a highly engaged group of retailers face to face with the experts that can provide practical, actionable data security practices, it also proved that there is much work still to be done.

During breakfast, Jeff Wakefield from VeriFone, the workshop's sponsor, gave the audience some great information regarding the need (and methods) to improve credit card pin pad device security. Highlighting several recent breaches - where pin pad devices were the point of origination - Jeff shared details about how frighteningly easy pin pad fraud is to commit. Even more interestingly, he informed how simple and effective a stringent hardware monitoring process can be. "The price of non-compliance will be passed directly to the retailer" he noted, "Yet as an industry, we are still not doing what we can."

After breakfast, Roland Tufts of TD Banknorth provided a valuable overview of the scope and necessity for card data regulation. In his role as VP of Credit Risk and Financial Operations, Roland spoke directly to the need for retailers to enact stricter access controls within the organization to safeguard the central database. This sentiment echoed one of the points we here have been driving at RSAG for some time, as our research has consistently revealed that ad-hoc queries to retailers' central databases are steadily rising. The number one offender? The marketing department. The need for more strict access controls is dire.

Next up, Mike Dahn of Halcyon Business Consultants delivered a riveting presentation in which he gave retailers actionable steps to avoid a data breach. Having performed hundreds of PCI assessments for retailers, Mike began by addressing the audience: "The POS may be the collection point of risky data, and it may well be what gets the most media attention. But the real culprit is infrastructure."

Dahn outlined how today's cyber criminal has honed in on card-present merchants, as the street resale value of personal account number ($3 each) pales in comparison to that of track data ($35-$50 a piece). As a result, e-commerce retailers are not as attractive to thieves as those who operate physical stores. "It is important to notice how similar the hacks and breaches have become," he stated. He then noted that these are not CIA spy quality crimes, and by sampling knowing where data is, breaches can virtually be eliminated. He urged the audience to ask of itself: "Where don't you know that you are storing data?" It is this "unknown" data which ultimately causes the most harm.

Stephanie Cline then gave a practical "real world" view of PCI compliance and security measures. The CIO, (who retired just a few weeks prior), spoke openly of the "balancing act" that is attaining compliance while driving profits. Processing 45 million credit card transactions each year, Jack in the Box operates thousands of restaurants that are currently experiencing both increased credit card use and dramatic employee turnover. There is a lot of information to protect.

"No one wants to be the person who is seen as too cautions within an organization," she said, "But if you think about how quickly all your years of progress can be lost, you will do things differently." She also noted, "Jack in the Box operates more than 2000 local area networks, and most of our stores have at least 10 PCs: strategic decisioning for when and where a security refresh occurs is critical."

Cline also shared her personal opinion regarding the Payment Card Industry's data security standard, citing that "The PCI mandate gives an individual credibility when asking to secure data."

Lastly, Benita Kahn gave a presentation focused squarely on the how laws and regulations should play a vital role in a retailer's security program. A partner at Vorys, Sater, Seymour, and Pease, the law firm which has aided more retailers in compromise occurrences than any other, Kahn, herself, is a former retailer. Based in large part on a recent law passed in Minnesota which applies financial liability for breached data – including card replacement - directly on the merchant, she informed how the days when a retailer felt little financial sting from a breach are over. "With changing laws, the price of a data breach is about to skyrocket."

"It is hugely important to develop a data storage diagram, a plan to contain and limit exposure if breached, and to know exactly which parties must be alerted first (merchant bank, US Secret Service)," she stated, while also enacting contractual provisions for accountability with all vendors. "Remember, a vendor will not be responsible for notifying your customers – it will be on you."

SOURCE: VeriFone