Years from now, when the topic of data security comes up, retailers may talk of the time before Target, and the time after, as the ripple effect of 110 million compromised consumer credit-card numbers flows outward.
Clearly, the breach at the Minneapolis-based mass merchant, and subsequently those of high-profile retailers Neiman Marcus, Nordstrom and Michael’s—and even the revelation from several state’s attorneys offices that convenience stores have fallen victim—ignited a media firestorm, renewed public debate over identity theft and eventually led to Congressional hearings that brought retailers, association leaders and financial executives to the Hill to testify.
“It’s definitely an eye-opener,” says Maximo Ricardo Alvarez, vice president of Sunshine Gasoline Distributors, Miami. “It shows that any retailer, no matter how big or small, can experience that nightmare and be [compromised] in the blink of an eye.”
For Alvarez’s chain of more than 200 c-stores in South Florida, finding solid third-party suppliers to help manage the payment process is critical. “[It’s about] good partnerships with security and technology companies and being confident in their products,” he says. “They’re IT professionals … who know a lot more than I do.”
While retailers have had to comply with mandated credit-card standards that went live for many as of 2010, recent headline-grabbing breaches have rained down near-term repercussions, including:
▶ Fueling debate and support for security measures, some of which require significant investments for retailers. This is on top of millions of dollars already invested in mandated upgrades just a few years ago.
▶ Increasing public awareness and scrutiny of the decisions retailers make regarding data security.
▶ Sparking Congressional hearings, which may lead to legislative regulation.
For c-store and petroleum retailers, the real concern is awareness—or lack thereof, according to Nizam Uddin, director of security and compliance for MegaPath Corp., Pleasanton, Calif. One of Alvarez’s vendor partners, MegaPath, secures and manages his data transmission network.
“Retailers handle their cash securely,” Uddin says. “They have cash drawers and know who’s [authorized] to handle the safe. It’s all monitored, all accounted for, so they’re not short $10 or $15 every day. But they don’t do that with credit-card machines or the environment around it.”
Having the tools in place and the training to create a secure data environment on a daily basis is the skill set more retailers need, Uddin says.
“You have to be vigilant,” Alvarez says. “[Incidents such as Target’s] make everyone more conscious, more aware of that kind of threat and take it seriously.”
Breach History
What exactly happened at Target has been the focus of much media scrutiny. On the chain’s website, it tells customers that in mid-December 2013, the company “learned criminals forced their way into our system, gaining access to guest credit and debit card information.”
Delving further into the subject, Brian Krebbs, a former Washington Post reporter and security blogger based in Merrifield, Va., has cited sources that point to a thirdparty heating, ventilation and air conditioning (HVAC) company that had access to Target’s systems. Krebbs, named by several news sources as the one who initially broke the Target story, said gaining access allowed criminals to insert malware that eventually snuck into point-of-sale (POS) registers at multiple stores in Target’s chain.
Whether Krebb’s report is accurate, the inference that data thieves are resourceful and opportunistic is evident.
And Target may just be today’s poster child for data breaches, according to Gray Taylor, executive director of the Petroleum Convenience Alliance for Technological Standards (PCATS), Alexandria, Va. “There may be five or six Targets” before upcoming credit-card mandates designed to update payment processes force change, he says.
Breaches the size of Target’s are not without precedent. In 2007, TJX Inc., parent of T.J. Maxx, Marshalls and Bob’s Stores, said hackers stole 45.6 million credit-card numbers. The next year, hackers broke into computers Heartland Payment Systems used to process 100 million payment-card transactions per month for 175,000 merchants.
Last year, 7-Eleven Inc. was among more than a dozen companies hacked in what the U.S. Department of Justice called the largest such scheme ever prosecuted in the United States. A federal indictment made public last July in New Jersey charged five men with conspiring in a worldwide hacking and data-breach scheme that targeted corporate networks including that of the Dallas-based convenience chain, and stole more than 160 million credit-card numbers.
In another case, a Manhattan district attorney’s announcement cited indictments in data-breach cases at c-stores in the South and Southeast. At least two other publicly reported incidents involving c-stores have arisen in the past year.
Lawmakers Step In
Recent months have seen a line of representatives from retail channels to associations to financial institutions parade before U.S. House and Senate committees to discuss the matter.
In March, the PCI Security Standards Council, a forum created by the major credit-card companies to voice its standards, testified before the House Financial Services subcommittee on “Financial Institutions and Consumer Credit” about its PCI (payment card industry) standards.
Troy Leach, the Wakefield, Mass.-based organization’s chief technology officer, covered data-security best practices that “include a multilayered approach involving people, processes and technology”; Europay MasterCard Visa (EMV) chip technology; and how data security can’t be solved by a “single technology, standard, mandate or regulation.”
Still, EMV is the next set of mandated upgrades coming down the pike for retailers, which for them means upgrades for plastic cards affixed with chip-and-PIN (personal identification number) technology. Adopted widely in Europe and Canada, EMV adds another level of data security to the transaction. For POS devices, the PCI deadline for upgrades is October 2015, and for dispensers it’s October 2017.
But observers such as Taylor of PCATS fear that if existing mandates for EMV and many of the other suggested security measures all become requirements, costs to the retail community will be prohibitive and “put the small merchant out of business.”
The real answer, he says, is in continued discussion involving all stakeholders. “We’re working hard not to get the short end of the stick,” he says. And while Visa Inc. a few months ago seemed ready to relax pending EMV deadlines, the Target revelation seems to have put pressure on them to keep the EMV momentum going. “Now it’s EMV now and EMV forever,” Taylor says.
A retailer in the Northeast, who spoke to CSP magazine on condition of anonymity, concurred, saying that technologies such as EMV will take years to implement at a tremendous cost, all the while giving hackers time to adapt. “It’s like trying to put a ladder to reach the top of a tree,” he says. “Every time you want to reach the top, the tree grows and you need a new ladder.”
Ultimately, Taylor does see a “multilayered” solution as the answer, with the specifics being what all stakeholders can agree upon, whether those steps require technology, processes or training.
PIN-Based Solutions?
One of the solutions called for by those speaking on the Hill is eliminating signature-based credit cards altogether.
A representative from the National Retail Federation in March told the Senate Committee on Commerce, Science and Transportation that “it’s time for an overhaul of the nation’s fraud-prone credit- and debit-card system,” saying banks’ insistence on cards that use a signature instead of a PIN puts merchants and customers at risk.
Mallory Duncan, senior vice president and general counsel for NRF, in a release pointed out that the cardholder’s name and account number are clearly printed on each card, along with the expiration date and security code.
The idea sits well with Taylor of PCATS. However, he says, “It’s in the best interest of the credit-card companies not to do so. If you put a PIN on every card, Visa would lose 62% of its transaction volume. If I were Visa, I wouldn’t want to see that happen.”
When contacted by CSP, a Visa spokesperson would not comment on card volume based on authentication methods but addressed the issue of PIN-based solutions. Ellen Richey, chief enterprise risk officer and chief legal office, says Visa’s focus is moving to a chip-based system. “The chip creates a dynamic cryptogram—a one-time message with every transaction—so that if a thief gets into the retail store or systems and steals the data, they can’t make a usable counterfeit card,” she says.
She cites heightened pressure on all stakeholders post-Target, with many calling for what Visa and other credit cards have pushed for: EMV. “We realize there’s a cost,” she says. “But the EMV chip has been out there for more than 20 years, and it has not been broken.”
In for a Penny
PCI mandates have included a set of 12 requirements and 221 sub-requirements covering items such as data encryption, patching, system hardening, physical security, auditing, logging and application security, according to the PCI council’s website.
For retailers, the investment has already surpassed the hundreds of millions in upgraded POS devices and PIN pads, and retrofitted pumps or new dispensers altogether for many. The PCI mandates came in waves for large and small retailers, but essentially 2010 brought the big deadline; 2012 was a secondary, catchall time frame drawn in the sand that covered POS devices.
Though dispensers are part of that compliance mandate, credit cards appear to be in limbo with regards to enforcing those upgrades, observers say.
What is up and coming for many retailers in 2014 is compliance to a new, 3.0 version of the PCI standards, which places about 100 changes in rules and tracking tasks on retailers with regards to people and processes, says Shekar Swamy, president and senior security strategist for Omega ATC, a St. Louis-based data-management and risk-assessment firm.
One of the more difficult mandates for retailers will be “continuous compliance,” which Swamy calls a big change, and one that differs from the 2.0 version. “For these merchants, quarterly scanning and wireless intrusion checks are not adequate anymore,” he says.
Retailers have to upgrade from 2.0 compliance to 3.0 a full year after their last compliance check in 2013. However, if retailers have not been compliant at all, they will need to abide by 3.0 standards immediately, because the January 2014 deadline has already passed, Swamy says.
His company, along with many other assessment and data-management companies, follows a “prioritized” approach. So because 2.0 is easier to comply with, he suggests that any firm not in compliance “start with 2.0 and then move to 3.0.”
Many of the new requirements tie back to people, Swamy says. For instance, every employee who accesses the systems in the cardholder environment needs a login and password that changes every 90 days. Retailers must document these changes. Also, retailers have to make sure terminated employees no longer have access to data, and that they document such actions.
But compliance to standards doesn’t necessarily equate to data security. As Uddin of MegaPath points out, real protection goes beyond checklists and points to what employees do on a regular basis.
For instance, employees should make sure a card machine is the same one used yesterday, not somehow swapped out. At gas stations, skimming devices or electronic attachments can be affixed to card swipes or placed inside dispensers to then download card data as people pay for gas.
Remote locations, which make up the network of many c-store chains, are especially vulnerable, he says. Offices where store managers do back-office work, for instance, are often not secure, nor are the devices in them. “You’ll see that everyone’s corporate data center is very secure, but when you look at remote locations, they’re not as secure as their data center,” Uddin says. “But it’s just as important.”
Members help make our journalism possible. Become a CSP member today and unlock exclusive benefits, including unlimited access to all of our content. Sign up here.