Industry Standard
Hasn't Prevented
Recent Breaches
By JOSEPH PEREIRA
April 29, 2008; WSJ
Despite efforts by the credit-card industry to force retailers to protect their customers' data, several recent security breaches suggest that current requirements aren't enough.
Hannaford Bros., a unit of Belgium's Delhaize Group SA, says it received a certificate on Feb. 27 stating it was fully compliant with the credit-card industry's security protocols. But that same day, the New England supermarket chain was informed by its card-transaction processor that there appeared to be a problem with its customers' credit-card accounts. The chain soon learned that data for 4.2 million cards may have been stolen.
Until now, most known retail-data breaches occurred at companies that failed to comply with steps mandated by a credit-card industry group called the Payment Card Industry Security Standards Council, or PCI, in Wakefield, Mass. The Hannaford attack -- and another disclosed last month at Okemo Mountain Resort, a ski operator in Vermont -- has prompted retailers to seek security systems well beyond PCI standards.
Hannaford last week announced the adoption of two such measures. The company installed a round-the-clock security monitoring-and-detection service provided by International Business Machines Corp. to track all user log-ins. The chain has also begun to encrypt all its customer card information immediately from the time the card is swiped at the cash register, so that data is scrambled all the way to the company's corporate servers, from where it is sent to the credit-card company. "PCI is a good place to start but retailers are going to have to go above and beyond PCI," said Bill Homa, Hannaford's chief information officer.
Says Bonnie MacPherson, a spokeswoman for the ski resort, which lost card data for nearly 50,000 customers, "We did everything we were supposed to." The company says it doesn't know whether the breach resulted in any theft.
Joshua Jewett, information chief at Family Dollar Stores Inc. in Charlotte, N.C., plans to beef up the cash register systems at about 2,500 of the company's stores by August with more data encryption than mandated by PCI. Both Hannaford and Family Dollar are purchasing security systems from Verifone Holdings Inc. of San Jose, Calif.
Until two years ago, retailers faced a cacophony of security requirements, with each of the major credit-card brands -- including Visa Inc., MasterCard Inc. and American Express Co. -- issuing their own set of standards. Then the credit-card industry established PCI, and consolidated the best data security practices into a single, unified code.
The compilation, called PCI Data Security Standards, requires such things as encrypting or masking customer data, regularly updating antivirus software, restricting access to card data to only certain authorized personnel and protecting stored information with firewalls, among other things.
Retailers that fail to meet the requirements are subject to fines.
In January, Visa announced that 77% of its largest U.S. merchants became PCI compliant in 2007, up from 12% in 2006. Compliance among midsize merchants grew to 62% last year from 15% the year before.
Credit card-related fraud grew to $5.49 billion in 2007 from $1.46 billion in 1997, according to industry tracker Nilson Report. Law-enforcement officials attribute the rise to new technological applications as well as increased participation by international organized-crime groups.
Bob Russo, PCI's general manager, says PCI believes its standards -- derived with input from more than 500 data-security specialists -- are adequate, but he adds that PCI is still awaiting the results of investigations into the Hannaford and Okemo breaches. "If there is something that's lacking in the standards, then we'll address it immediately," he says.
In both the Hannaford and Okemo heists, hackers attacked an area that previously had been thought impenetrable -- a company's private internal computer network. Many previous breaches involved wireless network systems.
PCI mandates that all transaction data sent over networks that are publicly accessible -- such as in coffee shops -- be encrypted, but it doesn't require that for transmissions over internal private lines.
At Hannaford and Okemo, hackers managed to install malicious software into the companies' private networks to steal credit-card information being transmitted to processors for approval.
"This kind of attack would not have been possible if the credit-card data had been encrypted," says Avivah Litan, a security analyst for Gartner Inc. in Stamford, Conn.
Michael Cherry, an online-security consultant, says companies can encrypt credit-card data at cash registers, which PCI doesn't require, at minimal cost. "You can be worry free for less than $100 per cash register," says Mr. Cherry.
Two companies that provide such technology -- called personal identification number pad encryption -- are courting new customers, playing up Hannaford and Okemo's vulnerabilities.
Verifone Holdings is promoting its VeriShield system, which was purchased by Family Dollar. A similar product, called MagneSafe, is offered by MagTek Inc., of Carson, Calif.
Rob Caulfield, chief executive of TrustCommerce, an Irvine, Calif., credit-data processor that works with MagTek's clients, says he knows of about two dozen retailers currently using MagTek encryption and about 300 others that "are queuing up to become clients."
Meanwhile, PCI has been upgrading its requirements for retailers as more information about vulnerabilities is gleaned from data breaches. In February, PCI required merchants to ensure that PIN pads are tamper proof and their credit-card data are rendered useless if they are opened. The requirement follows a theft last year where thieves stole PIN pads from Dutch retailer Royal Ahold NV's Stop & Shop stores in the Northeast U.S. and accessed customers' debit-card passwords.
As of June 30, retailers must install firewalls that prevent hackers from accessing internal company files through software programs that are exposed to the Internet, such as applications that handle online credit-card transactions. PCI also plans to toughen its standards in September in the areas of wireless transmissions, card-preauthorization procedures and software applications that handle credit-card data. "From all the data breaches we've seen, we're quickly learning that the point-of-sale is our weakest spot in the payment chain," says Mr. Russo.
Hasn't Prevented
Recent Breaches
By JOSEPH PEREIRA
April 29, 2008; WSJ
Despite efforts by the credit-card industry to force retailers to protect their customers' data, several recent security breaches suggest that current requirements aren't enough.
Hannaford Bros., a unit of Belgium's Delhaize Group SA, says it received a certificate on Feb. 27 stating it was fully compliant with the credit-card industry's security protocols. But that same day, the New England supermarket chain was informed by its card-transaction processor that there appeared to be a problem with its customers' credit-card accounts. The chain soon learned that data for 4.2 million cards may have been stolen.
Until now, most known retail-data breaches occurred at companies that failed to comply with steps mandated by a credit-card industry group called the Payment Card Industry Security Standards Council, or PCI, in Wakefield, Mass. The Hannaford attack -- and another disclosed last month at Okemo Mountain Resort, a ski operator in Vermont -- has prompted retailers to seek security systems well beyond PCI standards.
Hannaford last week announced the adoption of two such measures. The company installed a round-the-clock security monitoring-and-detection service provided by International Business Machines Corp. to track all user log-ins. The chain has also begun to encrypt all its customer card information immediately from the time the card is swiped at the cash register, so that data is scrambled all the way to the company's corporate servers, from where it is sent to the credit-card company. "PCI is a good place to start but retailers are going to have to go above and beyond PCI," said Bill Homa, Hannaford's chief information officer.
Says Bonnie MacPherson, a spokeswoman for the ski resort, which lost card data for nearly 50,000 customers, "We did everything we were supposed to." The company says it doesn't know whether the breach resulted in any theft.
Joshua Jewett, information chief at Family Dollar Stores Inc. in Charlotte, N.C., plans to beef up the cash register systems at about 2,500 of the company's stores by August with more data encryption than mandated by PCI. Both Hannaford and Family Dollar are purchasing security systems from Verifone Holdings Inc. of San Jose, Calif.
Until two years ago, retailers faced a cacophony of security requirements, with each of the major credit-card brands -- including Visa Inc., MasterCard Inc. and American Express Co. -- issuing their own set of standards. Then the credit-card industry established PCI, and consolidated the best data security practices into a single, unified code.
The compilation, called PCI Data Security Standards, requires such things as encrypting or masking customer data, regularly updating antivirus software, restricting access to card data to only certain authorized personnel and protecting stored information with firewalls, among other things.
Retailers that fail to meet the requirements are subject to fines.
In January, Visa announced that 77% of its largest U.S. merchants became PCI compliant in 2007, up from 12% in 2006. Compliance among midsize merchants grew to 62% last year from 15% the year before.
Credit card-related fraud grew to $5.49 billion in 2007 from $1.46 billion in 1997, according to industry tracker Nilson Report. Law-enforcement officials attribute the rise to new technological applications as well as increased participation by international organized-crime groups.
Bob Russo, PCI's general manager, says PCI believes its standards -- derived with input from more than 500 data-security specialists -- are adequate, but he adds that PCI is still awaiting the results of investigations into the Hannaford and Okemo breaches. "If there is something that's lacking in the standards, then we'll address it immediately," he says.
In both the Hannaford and Okemo heists, hackers attacked an area that previously had been thought impenetrable -- a company's private internal computer network. Many previous breaches involved wireless network systems.
PCI mandates that all transaction data sent over networks that are publicly accessible -- such as in coffee shops -- be encrypted, but it doesn't require that for transmissions over internal private lines.
At Hannaford and Okemo, hackers managed to install malicious software into the companies' private networks to steal credit-card information being transmitted to processors for approval.
"This kind of attack would not have been possible if the credit-card data had been encrypted," says Avivah Litan, a security analyst for Gartner Inc. in Stamford, Conn.
Michael Cherry, an online-security consultant, says companies can encrypt credit-card data at cash registers, which PCI doesn't require, at minimal cost. "You can be worry free for less than $100 per cash register," says Mr. Cherry.
Two companies that provide such technology -- called personal identification number pad encryption -- are courting new customers, playing up Hannaford and Okemo's vulnerabilities.
Verifone Holdings is promoting its VeriShield system, which was purchased by Family Dollar. A similar product, called MagneSafe, is offered by MagTek Inc., of Carson, Calif.
Rob Caulfield, chief executive of TrustCommerce, an Irvine, Calif., credit-data processor that works with MagTek's clients, says he knows of about two dozen retailers currently using MagTek encryption and about 300 others that "are queuing up to become clients."
Meanwhile, PCI has been upgrading its requirements for retailers as more information about vulnerabilities is gleaned from data breaches. In February, PCI required merchants to ensure that PIN pads are tamper proof and their credit-card data are rendered useless if they are opened. The requirement follows a theft last year where thieves stole PIN pads from Dutch retailer Royal Ahold NV's Stop & Shop stores in the Northeast U.S. and accessed customers' debit-card passwords.
As of June 30, retailers must install firewalls that prevent hackers from accessing internal company files through software programs that are exposed to the Internet, such as applications that handle online credit-card transactions. PCI also plans to toughen its standards in September in the areas of wireless transmissions, card-preauthorization procedures and software applications that handle credit-card data. "From all the data breaches we've seen, we're quickly learning that the point-of-sale is our weakest spot in the payment chain," says Mr. Russo.
