Retailers Need to be Prepared for the Worst Scenario when it comes to credit card data security;
(but if they arent aware of their PCI liability, that cant happen)
Almost every day we hear of a new incident of security breaches. National and larger regional retail chains are the usual targets of these attacks because of the size of the databases that they manage. While this might seem comforting to a single-store convenience store owner, its a mistake to get lulled into a false sense of security, according to Gray Taylor, executive director of the NACS-affiliated Petroleum and Convenience Alliance for Technical Standards (PCATS).
We often think of the typical hacker as a very intelligent, bored teenager trying to explore his boundaries and test his computer skills. Today though, hackers are more likely to be members of European organized crime groups perhaps even living in the U.S. These guys are coming in with H1 or H2 student visas, Taylor said. Rather than working at the student union, theyre being used as mules. Theyre opening bank accounts; installing skimmers feeding card data back to these gangs and using stolen cards to buy high-end merchandise.
As larger, more tech-savvy businesses improve their security measures, and hackers hit sophisticated information technology and up-to-date security, theyll turn to easier systems, including those of small family businesses. These businesses are an easy target for data thieves, according to Taylor. Weve got 92,000 individual site operators (in the convenience store industry), he said. Weve got a lot of single store operators who know how to turn on a PC, and thats it.
If Im Compliant, Everything is Okay, Right? … Wrong!
( PCI Liability )
In an effort to mandate computer security for all businesses the Payment Card Industry (PCI) Security Standards Council was formed in 2006. PCI was created by five global payment brands to establish standards for businesses that accept cards for payment. Retailers have had to invest in costly technology and confirm compliance by underwriting expensive audits to meet and maintain the PCI standards Non-compliant businesses that suffer a security breach can be heavily fined by PCI.
Yet, PCI compliance cant guarantee that security breaches wont occur, and if it does, businesses can still be held liable. According to Trinette Huber, manager of information privacy and security for PCI compliance for the 2,700-store Sinclair Oil Corp. based in Salt Lake City, a retailer can be fully PCI compliant, be breached and held responsible like a non-compliant business. As a merchant, I can go through all the steps to do this and do it in good faith, and yet if I have a breachwhich is entirely possiblethe PCI council will say I wasnt literally compliant, she said. (PCI) is asking thousands of merchants to do something (the credit card companies) should be doing themselves. They should be fixing the magnetic stripe (in credit/debit cards) so its not something that can be easily stolen, instead of asking merchants to fix (the security issues) for them.
A search of the internet can readily provide even amateur hackers with instructions for collecting magnetic-stripe data. In an effort to deal with this security deficiency, Visa announced last year that the Europay MasterCard Visa (EMV) will become the standard payment technology for the U.S. market. EMV cards use an internal chip as opposed to a magnetic stripe. Consumers are required to use a personal identification number (PIN) at the time of transaction. This is also known as Chip and PIN technology,
Although EMV will improve security, a typical convenience store will have to spend about $20,000 to update inside and outside credit card terminals to EMV standards, Huber said. In addition, the 20-year-old EMV technology already has known security gaps, such as no security for online use. According to Bob Russo, general manager, PCI Security Standards Council, when EMV was first available in Europe, which is where it first came out, fraud went way, way down in a face-to-face environment. Immediately people said this is what we need, and we dont need anything else. But over the years, they found EMV by itself was not enough. In a face-to-face environment, it works. In a card-not-present environment or over the Internet, it really doesnt work.
Point-to-Point Encryption (P2PE)
A newer technology, point-to-point (P2PE) or end-to-end encryption ensures that credit and debit card data is protected from the initial card swipe and all the way to the payment processor.
End-to-end encryption completely eliminates the need for the retailer to secure customers magnetic-stripe data because the retailer never has possession of it, said Jeremie Myhren, senior director of information technology at Rockford, Ill.-based Road Ranger LLC, with more than 80 Midwest stores. Of course the retailer will want to follow many of the requirements laid out by the PCI Standards Counsel. Many of them are things we should be doing anyway. However, we will no longer need to worry about some of the very specific requirements that are in place to protect our customers magnetic-stripe information, such as network segmentation, and the like.
With P2PE merchants have more flexibility in designing and implementing a technology infrastructure and can help reduce the current costs of being compliant. At the end of the day, it mitigates the need for a retailer to undergo a costly and time-consuming audit for PCI purposes, Myhren added.
Some versions of the technology are in use today at Wal-Mart and Kroger. To me P2PE is the piece de résistance, said Taylor. You can get a proprietary product today for in-store POS. I think within a year well have a good standard for dispensers and within two years well actually have products you can use. While P2PE will be a major advancement in security, Russo believes compliance with PCI standards will still be necessary.
Compliant and Still Fined!
The owners of Ciseros, a Utah restaurant, are suing U.S. Bank and the banks parent company, Elavon, over PCI compliance fines. In 2008, Visa notified U.S. Bank that Ciseros security network might have been compromised after cards used at the restaurant were also used for fraudulent transactions. Visa and MasterCard fined U.S. Bank, alleging that Ciseros had failed to secure its network. U.S. Bank, in turn, seized about $10,000 from the restaurants account to pay a portion of the fines and then sued the owners to obtain the balanceabout $80,000.
The owners counter sued, claiming the bank and the payment card industry, through PCI, forced merchants to sign one-sided contracts based on information that changes without notice, and that merchants are fined with no chance to dispute claims before seizure of funds. They further charge that the PCI system is less about securing card data, than it is about collecting fines and boosting profits for credit card companies.
This is going to be a benchmark decision, said Gray Taylor, executive director of the Petroleum and Convenience Alliance for Technical Standards. All of the things necessary for a good lawsuit (to challenge PCI) are in place for the first time.