Debunking the PCI Myth
There is no end in sight, and there never will be—not when it comes to securing payment transactions and consumer data. Regulatory agencies and emerging technologies attempt to make breaches more difficult, but the higher the bar is raised, the higher tech-savvy hackers learn to jump.
Were any of us completely surprised to learn that a PCI-compliant retailer was breached? Not really. In fact, most industry analysts and security professionals would say it was just a matter of time—and given the speed of emergent technologies, there’s been a lot of time since the payment card industry (PCI) data security standard (DSS) was last updated on Dec. 31, 2006.
The 12 requirements outlined in the PCI DSS are a great starting point, but that would be all. Putting a dead bolt on your doors and installing a home-security system are logical precautionary measures, but a stealthy, sophisticated criminal could still find a point of entry. The same holds true for your secured networks and payment systems.
Certainly that was one of the lessons Hannaford Bros., Scarborough, Maine, learned when more than 4.2 million debit and credit accounts were breached through the PCI-compliant Hannaford network. Within days, Advance Auto Parts, Roanoke, Va., and Okemo Mountain Resort, Ludlow, Vt., had also reported breaches.
Ben Edwards, a systems consultant with Peak Technologies, Columbia, Md., agreed that PCI compliance is the best first step, but cautioned, “There is no such thing as a totally hacker-proof system and anyone who implemented the minimum security to be compliant with PCI DSS regulations is quite vulnerable today because technology moves so quickly.”
Among his suggestions: Maintain constant vigilance, have multiple layers of security, and stay up-to-date on the latest safeguards, which likely means going beyond the rules of regulatory compliance.
For instance, wireless networks, potentially an Achilles’ heel for virtually every retailer, are much more prevalent now than in 2006 when the PCI DSS regulations were last updated.
However, most retailers believe they have taken all the necessary precautions if they are PCI-compliant. When retailers describe secure payment systems, the first thing they tell me is that they are PCI-compliant; the second thing is that the data is encrypted.
Trusting encryption to be your silver bullet against hackers is probably as naive as thinking PCI compliance in and of itself makes the network secure. As Edwards explained, the PCI DSS requirement calls for encryption keys to be rotated quarterly. However, if encryption keys are only rotated quarterly, that would give a hacker three months to break the code and breach a system.
“For the retailers I work with,” Edwards noted, “I set up a minimum of a daily rotation on encryption keys, typically every 8 to 12 hours. At least then the hackers have to start over every few hours to break the code.”
Setting a system to rotate encryption keys on a more frequent basis could be as simple as loading new firmware, he advised—something that can be done in a matter of minutes and for minimal cost.
OfficeMax 1Q sales fall on weak economy
NAPERVILLE, Ill. OfficeMax announced that for its first quarter ended March 29, total sales decreased 5.5% to $2.3 billion compared to the first quarter of 2007. Net income increased in the first quarter of 2008 to $63.3 million, or 81 cents per diluted share, from $58.5 million, or 76 cents per diluted share, in the first quarter of 2007.
OfficeMax Retail segment sales decreased 5.5% to $1.11 billion in the first quarter of 2008 compared to the first quarter of 2007, reflecting a same-store sales decrease of 8.7% partially offset by sales from new stores. Retail same-store sales for the first quarter of 2008 declined across all major product categories due to weaker U.S. consumer and small business spending and the negative impact of the Easter holiday occurring in the first quarter of 2008.
IKEA to open first U.S. manufacturing facility
DANVILLE, Va. IKEA, through its subsidiary Swedwood, announced that it will open its first U.S. furniture manufacturing facility on May 21 in Danville, Va. The 930,000 square-foot Swedwood factory will produce a variety of wood-based IKEA products, the company reported.
“We made excellent progress on construction last year and our installation of equipment and machinery has gone very smoothly,” said Bengt Danielsson, North American president of Swedwood. “Now our primary objective is to complete appropriate operational training for 175 coworkers as well as to ensure a seamless production and packaging process.”