Technology: Target on Your Back
High-profile data breaches put retailers in public crosshairs
She cites heightened pressure on all stakeholders post-Target, with many calling for what Visa and other credit cards have pushed for: EMV. “We realize there’s a cost,” she says. “But the EMV chip has been out there for more than 20 years, and it has not been broken.”
In for a Penny
PCI mandates have included a set of 12 requirements and 221 sub-requirements covering items such as data encryption, patching, system hardening, physical security, auditing, logging and application security, according to the PCI council’s website.
For retailers, the investment has already surpassed the hundreds of millions in upgraded POS devices and PIN pads, and retrofitted pumps or new dispensers altogether for many. The PCI mandates came in waves for large and small retailers, but essentially 2010 brought the big deadline; 2012 was a secondary, catchall time frame drawn in the sand that covered POS devices.
Though dispensers are part of that compliance mandate, credit cards appear to be in limbo with regards to enforcing those upgrades, observers say.
What is up and coming for many retailers in 2014 is compliance to a new, 3.0 version of the PCI standards, which places about 100 changes in rules and tracking tasks on retailers with regards to people and processes, says Shekar Swamy, president and senior security strategist for Omega ATC, a St. Louis-based data-management and risk-assessment firm.
One of the more difficult mandates for retailers will be “continuous compliance,” which Swamy calls a big change, and one that differs from the 2.0 version. “For these merchants, quarterly scanning and wireless intrusion checks are not adequate anymore,” he says.
Retailers have to upgrade from 2.0 compliance to 3.0 a full year after their last compliance check in 2013. However, if retailers have not been compliant at all, they will need to abide by 3.0 standards immediately, because the January 2014 deadline has already passed, Swamy says.
His company, along with many other assessment and data-management companies, follows a “prioritized” approach. So because 2.0 is easier to comply with, he suggests that any firm not in compliance “start with 2.0 and then move to 3.0.”
Many of the new requirements tie back to people, Swamy says. For instance, every employee who accesses the systems in the cardholder environment needs a login and password that changes every 90 days. Retailers must document these changes. Also, retailers have to make sure terminated employees no longer have access to data, and that they document such actions.
But compliance to standards doesn’t necessarily equate to data security. As Uddin of MegaPath points out, real protection goes beyond checklists and points to what employees do on a regular basis.
For instance, employees should make sure a card machine is the same one used yesterday, not somehow swapped out. At gas stations, skimming devices or electronic attachments can be affixed to card swipes or placed inside dispensers to then download card data as people pay for gas.
Remote locations, which make up the network of many c-store chains, are especially vulnerable, he says. Offices where store managers do back-office work, for instance, are often not secure, nor are the devices in them. “You’ll see that everyone’s corporate data center is very secure, but when you look at remote locations, they’re not as secure as their data center,” Uddin says. “But it’s just as important.”