Five Steps Toward Preventing a Retail Breach
In today’s news cycle, it’s become somewhat standard fare to read reports of a significant breach in the retail world. From Target to Neiman Marcus, UPS to eBay and even restaurants like P.F. Chang's and Dairy Queen, 2014 resulted in major retail breaches totaling 100 million credit cards and 313 million personal records. But it’s not just the big names that have targets on their backs; as Verizon’s 2015 Data Breach Investigations Report details: “the attack methods are becoming more varied, even against small businesses.”
Despite the emergence of alternative payment methods such as Google Wallet and Apple Pay, credit cards remain king (as outlined in Verizon’s 2015 PCI Compliance Report): “Card payments matter. News of their demise, to be replaced by apps and mobile payments, has been greatly exaggerated.” What’s more, retailers rely just as heavily on credit cards for fast and easy transactions; the reality is, even a small number of stores may handle a large volume of card transactions (i.e., more than 1 million annually). Given the sheer volume and increased sophistication of recent data breaches, there is a clear and critical need for increased security around this interaction with a customer’s sensitive data – i.e. a retailers’ point-of-sale (POS) solutions.
Historically, the most common hacker practice was to compromise the POS device, install malware to collect a credit card’s magnetic stripe data in-process and cash out. However, in this constant battle for data security, retailers must remember that security is not just about payment cards. Protecting information also includes loyalty cards, personally identifiable information (PII) and even employee information. Systems can house personal data including full names, home addresses, driver’s licenses, date of birth, etc. Whether you’re part of a large corporation or you’re a small mom and pop shop, the fact is, nobody is immune.
Retailers must take control and secure their enterprise from the inside out, not just the perimeter. Here are five ways data security processes can be made more proactive, effective and manageable, even for small IT departments:
1. Deploy secure applications and innovative tools
• EMV Chip Technology: Chip cards used at EMV terminals protect against counterfeit transactions by replacing static data with dynamic – however, they are not as much about security as the prevention of card duplication.
• Point-to-Point Encryption (P2PE): Protects cardholder data from the point of data entry to the payment card processor, and shields against malware that “sniffs” and “captures” – however, the path of transaction is still in scope.
• Tokenization Technology: Replaces cardholder data with surrogate values, or “tokens,” allowing merchants to limit or eliminate the storage of cardholder data.
• Wireless Intrusion Prevention: Works to detect and prevent any kind of access across wireless networks.
• Card Data Scanning: Controls to protect against card reading devices that could steal cardholder information.
2. Leverage centralized data security services
• Managed increased threats without adding IT staff
• Investigate managed security service providers to augment your staff
3. Think of data security from inside the enterprise to the perimeter
• There needs to be an information-based and activity-based data strategy – data and people
• Include the most inward systems and security processes to the outmost routers on the perimeter
• Account security for employees behind firewalls is just as important as that for vendors and customers
• Don’t rely on your hosting provider or card processor for all aspects of data security
4. Make data security processes more sustainable and resilient
Data security cannot be implemented overnight. It is becoming a day-to-day business practice; businesses must adopt a framework of continuous security. Data must be secured to meet the intent of continuous compliance requirements:
i. Preparation:
1. Tougher penetration testing requirements
2. PCI 3.0 mandates that data security go deeper & wider
3. In the interest of protecting customer data, requirements are stringent
4. Over 100 additional discrete controls, 400+ total
5. More focus on physical controls
6. More policies and procedures
7. Ongoing documentation and evidence
8. Compliance and proof of validation
ii. Recovery:
1. Execute the Incidence Response Plan
2. Contact law enforcement, legal and customers
3. Conduct investigation to find out which areas of the environment have been compromised
4. Inform acquiring banks, customers, QSA firm, etc.
5. While even the best data security can still be vulnerable to breaches, event logging makes the forensic investigation faster and less expensive in the event of a breach
6. Security alerts allow retailers to inform customers of breaches, rather than customers finding out the hard way
7. As always, all data should be backed up
5. Make achieving compliance more straightforward
• Monitor compliance levels from a central console
• Reduce the workload – every system you can take out of scope is one less system that you have to validate for compliance
• Do not store cardholder data
• When possible, retailers should consolidate systems and restructure environments
Breaches are motivated by opportunity, ease of access and persistence. With the cost for non-compliance around $250,000 – and fines for non-compliance being imposed by acquiring banks and processors – retailers need to act now. The good news is that effective solutions are straightforward and readily available. By employing the right technologies and approaches, organizations can absolutely stay proactive against threats and keep their data secure.