Hardening the Target
Following the release of new standards for payment-card-industry (PCI) compliance in September, 2006, many retailers were confused about what was required. Issued by the PCI Security Standards Council, an independent organization based in Wakefield, Mass., that provides management of the Payment Card Industry Data Security Standard, the updated and expanded requirements were intended to harden the target against breaches of card data.
Recent breaches at retail organizations such as TJX and Stop & Shop, and the ensuing collateral damage that ranged from consumer withdrawal to lawsuits and financial penalties, have reinforced the critical need for PCI compliance and increased security. To help retailers gain a better understanding of the topic, an educational Webinar was presented by Chain Store Age, Denver-based Accuvant and Aruba Networks of Sunnyvale, Calif.
“Demystifying PCI Compliance” may be viewed in its entirety by visiting www.chainstoreage.com and clicking on the icon for this Webinar.
Following the presentation, retail attendees had an opportunity to pose questions to the panelists. Aruba Networks representatives Manav Khurana, product manager, retail solutions, and Joshua Wright, senior security researcher, along with Brian Serra, PCI program manager of Accuvant, offered the following answers to attendee questions:
Q: Is becoming PCI-compliant enough to defend against network exploitation?
A: PCI compliance is the minimum requirement for what is necessary to protect networks. It is a good first step for protection, but there are always more steps that can be taken to mitigate emerging threats. How much a retailer does usually correlates to the cost-risk analysis—the cost of securing the network vs. the cost of recovering from a breach.
Q:How long does it take, from start to finish, for a retail organization to become PCI-compliant?
A: The overall timeline differs with the size of an organization and the complexity of its cardholder environment. We have seen retailers that have little to no security in place take about a year to get up to speed. Retailers with some security in place may achieve PCI compliance in as little as two months.
Q:What are the most common problem areas retailers should focus on securing?
A: Areas where retailers are most often out of compliance involve the absence or inadequacy of data encryption. It is not just about protecting the card number; many retail organizations retain the track data from the magnetic strip on the back of credit cards. Retaining that data is forbidden.
Another big hurdle retailers face centers around the audit and tracking of security breaches. Retailers must be able to determine and retrace what happened and what was stolen, as well as establish what can be done to prevent future breaches.
Q:What are the ramifications to PCI compliance when additional applications are introduced in the network?
A: PCI compliance is not a one-time project. If you are the compliance manager within a retail organization, it is your responsibility to understand new applications that are added to the network and determine if they are PCI-compliant or what has to be done to make them compliant.
Q:How do you protect against problems such as the duping of credit-card data at the point of sale?
A: There are no controls within PCI compliance to address theft at the point of sale or securing POS hardware. We often hear about “skimming” techniques in restaurants that facilitate theft of credit-card data, and we’ve seen similar problems with devices at ATM machines. However, establishing physical security checks would help to some extent.
Q:Does the PCI requirement for securing wireless networks include every store in a retailer’s portfolio as well as its headquarters?
A: The requirement is to monitor the cardholder environment, which suggests retailers do need to secure their stores as well as their headquarters, distribution centers and other ancillary facilities—basically any environment where wireless applications are used, because rogue attacks could penetrate the corporate network through those connections.
Q:Who is responsible for auditing to confirm PCI compliance and what are the monetary fines?
A: Typically the fines are imposed by the card brands—Visa, MasterCard and Discover. They may fine the retailer’s third-party processor or the acquiring bank, but because of merchant contracts, retailers are likely responsible for payment.
When retailers are dealing directly with the card companies, the minimum fine for data loss is $500,000. For non-compliance without data loss, fines start at $50,000. Additionally, if cardholder data is stolen in mass quantities, the retailer will likely be required to pay a re-issue fee of as much as $200 per card.
Weekly Retail Fix
THE NEWS: SAM’S REALIGNS STORE-LEVEL MANAGEMENT
BENTONVILLE, ARK. Sam’s Club is changing the management structure in its stores. In the realignment, approximately 250 positions will be eliminated, Wal-Mart Stores announced last week. The company said it’s replacing five lower level management positions at each Sam’s Club location with three new higher level and higher paying assistant manager positions. —
“This is not a cost cutting effort. We expect a slight increase in payroll upon completion of this change,” said Sharon Orlopp, senior vp of Sam’s people division.
THE FIX: Differentiation would better help Sam’s
Since Sam’s decided that its refocus on the business customer was too narrow, it has sought to find ways to make its clubs more attractive to primary shoppers, i.e., women. And that’s a pretty tough row to hoe, as Costco has done a pretty good job at satisfying the club customer in general and BJ’s has been going after female shoppers for several years now, with some success.
Having fewer managers with more direct responsibility could create a tighter knit club-level management and shorten lines of responsibility and accountability. Yet, without differentiating the offering, execution isn’t going to overcome all of Sam’s challenges.
That being said, a store-level management realignment might be overlooked at other retailers, but, this being Wal-Mart, everyone has to make a big deal about it. But that’s the price you pay as the big guy on the block.
Weekly Retail Fix
THE NEWS: TOYS ‘R’ US EARNINGS GAIN 40.1%
WAYNE, N.J. Toys “R” Us today posted net earnings of $199 million for its critical fourth quarter, which meant it turned a profit for the fiscal year ended Feb. 3. But special charges and gains had an impact on its numbers. —
Sales for the previous fiscal annum were $142 million, the difference translating into a net earnings increase of 40.1% year over year. For the last fiscal year, Toys “R” Us posted net earnings of $85 million versus a net loss of $384 million for the previous period.
Operating earnings in the fiscal 2006 fourth quarter gained 53.1% to $571 million versus $373 million for the fourth quarter of fiscal 2005. For the last fiscal year, operating earnings were $649 million versus an operating loss of $142 million for the previous period.
THE FIX: Improved shopper experience ups comps
Of course, any observer has to take into consideration special financial circumstances. Fiscal 2006 operating earnings were positively impacted by $96 million from gains on property sales, slightly offset by restructuring and other charges. In fiscal 2005, operating earnings were negatively impacted by $410 million in costs relating to the merger of the company, as well as $58 million of costs and charges relating to contract settlement fees, restructuring and other charges.
Still, sales were trending up at last year’s end. Net sales gained 15.8% to $5.7 billion. In the full fiscal year, net sales advanced to $13 billion, up 15.2%.
Comparable-store sales for the Toys “R” Us’ U.S. division gained 0.6% in fiscal 2006, and that represents the division’s first comps increase in six years. Comps at Babies “R” Us were up 4.8% and those at Toys “R” Us international were up 2.6% for the fiscal year.
Jerry Storch, chairman and ceo of Toys “R” Us, said the company is “pleased with the strides we made in fiscal 2006 to improve at all levels of the organization and reposition the company for profitable growth over the long term.”
He said the company’s new management team has been focusing on executing a strategy that would turn the retailer into a global toy and baby products authority.
“This translated into higher overall sales, positive comparable-store sales, improved gross margins and strong operating earnings growth for the 2006 fiscal year,” Storch asserted. “The key to our strategy has been improving the customer shopping experience in our stores. We are accomplishing this by delivering a more compelling merchandise selection, better service and a cleaner and more comfortable shopping environment.”