Five Steps Toward Preventing a Retail Breach
In today’s news cycle, it’s become somewhat standard fare to read reports of a significant breach in the retail world. From Target to Neiman Marcus, UPS to eBay and even restaurants like P.F. Chang's and Dairy Queen, 2014 resulted in major retail breaches totaling 100 million credit cards and 313 million personal records. But it’s not just the big names that have targets on their backs; as Verizon’s 2015 Data Breach Investigations Report details: “the attack methods are becoming more varied, even against small businesses.”
Despite the emergence of alternative payment methods such as Google Wallet and Apple Pay, credit cards remain king (as outlined in Verizon’s 2015 PCI Compliance Report): “Card payments matter. News of their demise, to be replaced by apps and mobile payments, has been greatly exaggerated.” What’s more, retailers rely just as heavily on credit cards for fast and easy transactions; the reality is, even a small number of stores may handle a large volume of card transactions (i.e., more than 1 million annually). Given the sheer volume and increased sophistication of recent data breaches, there is a clear and critical need for increased security around this interaction with a customer’s sensitive data – i.e. a retailers’ point-of-sale (POS) solutions.
Historically, the most common hacker practice was to compromise the POS device, install malware to collect a credit card’s magnetic stripe data in-process and cash out. However, in this constant battle for data security, retailers must remember that security is not just about payment cards. Protecting information also includes loyalty cards, personally identifiable information (PII) and even employee information. Systems can house personal data including full names, home addresses, driver’s licenses, date of birth, etc. Whether you’re part of a large corporation or you’re a small mom and pop shop, the fact is, nobody is immune.
Retailers must take control and secure their enterprise from the inside out, not just the perimeter. Here are five ways data security processes can be made more proactive, effective and manageable, even for small IT departments:
1. Deploy secure applications and innovative tools
• EMV Chip Technology: Chip cards used at EMV terminals protect against counterfeit transactions by replacing static data with dynamic – however, they are not as much about security as the prevention of card duplication.
• Point-to-Point Encryption (P2PE): Protects cardholder data from the point of data entry to the payment card processor, and shields against malware that “sniffs” and “captures” – however, the path of transaction is still in scope.
• Tokenization Technology: Replaces cardholder data with surrogate values, or “tokens,” allowing merchants to limit or eliminate the storage of cardholder data.
• Wireless Intrusion Prevention: Works to detect and prevent any kind of access across wireless networks.
• Card Data Scanning: Controls to protect against card reading devices that could steal cardholder information.
2. Leverage centralized data security services
• Managed increased threats without adding IT staff
• Investigate managed security service providers to augment your staff
3. Think of data security from inside the enterprise to the perimeter
• There needs to be an information-based and activity-based data strategy – data and people
• Include the most inward systems and security processes to the outmost routers on the perimeter
• Account security for employees behind firewalls is just as important as that for vendors and customers
• Don’t rely on your hosting provider or card processor for all aspects of data security
4. Make data security processes more sustainable and resilient
Data security cannot be implemented overnight. It is becoming a day-to-day business practice; businesses must adopt a framework of continuous security. Data must be secured to meet the intent of continuous compliance requirements:
1. Tougher penetration testing requirements
2. PCI 3.0 mandates that data security go deeper & wider
3. In the interest of protecting customer data, requirements are stringent
4. Over 100 additional discrete controls, 400+ total
5. More focus on physical controls
6. More policies and procedures
7. Ongoing documentation and evidence
8. Compliance and proof of validation
1. Execute the Incidence Response Plan
2. Contact law enforcement, legal and customers
3. Conduct investigation to find out which areas of the environment have been compromised
4. Inform acquiring banks, customers, QSA firm, etc.
5. While even the best data security can still be vulnerable to breaches, event logging makes the forensic investigation faster and less expensive in the event of a breach
6. Security alerts allow retailers to inform customers of breaches, rather than customers finding out the hard way
7. As always, all data should be backed up
5. Make achieving compliance more straightforward
• Monitor compliance levels from a central console
• Reduce the workload – every system you can take out of scope is one less system that you have to validate for compliance
• Do not store cardholder data
• When possible, retailers should consolidate systems and restructure environments
Breaches are motivated by opportunity, ease of access and persistence. With the cost for non-compliance around $250,000 – and fines for non-compliance being imposed by acquiring banks and processors – retailers need to act now. The good news is that effective solutions are straightforward and readily available. By employing the right technologies and approaches, organizations can absolutely stay proactive against threats and keep their data secure.
Vidya Swamy is director, marketing & client services, Omega, which specializes in helping retailers prevent data breaches and the loss of sensitive information. Steve Grzybinski is director of security, compliance & technology, Connectria, which provides cloud computing, managed hosting and custom managed hosting solutions for more than 1,000 customers in over 30 countries worldwide.
Papa John’s gets ready for mobile communications
Lexington, Ky. – Papa John’s Pizza is getting ready for mobile communications. The pizza chain has selected the Red e App mobile communications platform to increase operational efficiency across its organization.
Red e App will give Papa John’s a dedicated channel to communicate and share files with corporate managers in more than 600 locations using a private, mobile-centric platform. Papa John’s is also planning to expand the service to franchise owners and operators in the future.
The company’s operational demands include food preparation and logistics, point of sale, connectivity for phone and other Internet systems. The global scale of Papa John’s business compounds the workload and requires immediate communication, 24 hours per day, seven days per week. With Red e App, Papa John’s is able to utilize an entire communication platform that is designed specifically for the needs of a non-desk management workforce.
“Red e App allows us to communicate the right data at the right time with a simple solution,” said Edmond Heelan, Papa John’s VP global operations support and training. “For the first time, we’ll be able to communicate in real-time to all regional and local corporate managers.”
Former Kohl’s CIO takes IT reins at Hudson’s Bay
Toronto – Despite efforts by her previous employer to block the transition, former Kohl’s CIO Janet Schalk is joining Hudson’s Bay Co. in the same capacity. Schalk initially informed Kohl’s she would be leaving effective July 31 to take the Hudson’s Bay CIO post.
On July 24, Kohl’s filed a lawsuit in Wisconsin (where the retailer is headquartered) claiming its employment agreement with Schalk required her to wait a year before taking a similar position with a competitor. However, on Aug. 11, the court ruled against Kohl’s, saying Hudson’s Bay is not a direct competitor and the language of the employment agreement would most likely not stand up under state law.
A temporary injunction barring Schalk from accepting the job with Hudson’s Bay has since expired. It is unclear if Kohl’s is considering any further legal action.
In her new role, Schalk will be responsible for leading the IT strategy for Hudson’s Bay. She will also drive the company's roadmap of common systems, integrated support, business architecture and analytics.
"Janet is a proven leader, and her success in creating a strategic information technology function that drives customer engagement across all channels will be critical in advancing Hudson Bays IT systems and supporting the company's growth," said Jerry Storch, CEO, Hudson's Bay Co. "We look forward to welcoming Janet and moving ahead with our plans for innovation and growth."
Schalk joins Hudson Bay's executive leadership team and will report directly to the Office of the Chairman, comprising Richard Baker, chairman and governor, and Jerry Storch, CEO.
Previous to Kohl's, where Schalk started as senior VP of IS, business applications in 2010 and was promoted to CIO in 2012, she spent four years as executive VP and head of global IT for Target from 2004-2008.