Card Networks Still at Risk

Visa and MasterCard are among the payment providers targeted by “hacktivists”  calling into question the effectiveness of PCI compliance.

By Howard Riell, Associate Editor.

The arrest of WikiLeaks founder Julian Assange in the U.K. in early December got some people angry—and they took revenge.

A day after Assange was arrested and denied bail in London in connection with misconduct accusations in Sweden, MasterCard Inc., Visa Inc., eBay Inc.’s PayPal and the Swedish prosecutor’s office all reported technical difficulties with their Web sites that experts said came from so-called denial of service attacks, in which computers flooded servers to prevent them from displaying a Web page. In other words, they were hacked.

On Dec. 12, Amazon’s European Web sites were brought down and rendered inaccessible for two hours, costing it millions in lost revenue during the height of the holiday shopping season. The finger of blame once again pointed to so-called “hacktivists.”

While the attacks were more annoying than damaging, they left many c-store operators questioning the effectiveness of PCI compliance. After all the time and money they have invested—most estimates place the c-store industry’s tab at around $200 million—are convenience stores still vulnerable like MasterCard, Visa and PayPal? And if so, why bother?

“Read the papers,” said Bob Russo, general manager of the PCI Security Standards Council in Wakefield, Mass. “Stuff is happening every day, and stuff that you don’t hear about. You can’t imagine how much there is out there.”
What many c-store operators need to do is change the way they think of compliance, Russo suggested. “People are thinking of this in a compliance vein, and really what they should be doing is thinking of this more as a security issue.”

Ongoing Maintenance Required
Compliance, Russo explained, “is when the insurance company tells you, ‘Put dead bolt locks on all of your doors,’ and you say, ‘OK, fine.’ You put deadbolt locks on all of your doors, and now you think that your job is finished. However, two or three times a month you walk out your door and forget to lock it. What good is having a deadbolt lock if you don’t lock it? So really this is more about security than it is about compliance. That is the difference.”
Retailers need to think of PCI compliance as a vital process they must follow in order to protect their businesses rather than just a mess of required paperwork.

“To tell you the truth, we’re not just talking about the specter of a fine,” said Russo. “People think that the fine is really the onerous part of all of this, and it’s really not the case. It’s the fact that your customers will think that you are not protecting your data.”

Customers these days are getting smarter, but many don’t yet understand the difference between credit card fraud and identity theft. Many think that if their credit card gets stolen their identities are getting stolen.

“If consumers figure out that it’s happening at their local convenience store because that’s where they use their credit card most of the time, they may not shop there anymore,” Russo warned. “That’s the worst thing, when your customers walk away. So you really need to be thinking about security, not so much compliance.”

Protecting Customers
Paul Culver, payments solutions manager for CHS Payment Solutions in Inver Grove Heights, Minn., said convenience store operators would be wrong to come to the conclusion that PCI compliance is a waste of time and money.

CHS Payment Solutions is a division of CHS, which operates hundreds of convenience stores across the Midwest under the Cenex brand.

“I think the right message is that conceptually, when it comes to the whole PCI issue, bits and pieces of it may very well be more detailed than a lot of the smaller retailers want. But the fundamental behind it—securing consumer credit card data—is the right thing to protect customers. And it is the right thing to do to have the proper training with our employees—especially in the c-store business, where we see in many areas pretty high turnover.”

Culver said that he has seen evidence of this within his own retail group. Cenex trains new employees to treat credit card data as if it was their own card information. Helping make the education process easier is the fact that so many people have themselves had at least some indirect experience with identity theft.

“More and more these days someone will say, ‘Yeah, I know somebody who had a credit card stolen or was a victim of identity theft,’” Culver noted. “So I still think the principles behind PCI are right on because it’s about protecting our consumers and keeping them happy. That’s the fundamental mission to our whole convenience store world.”
When it comes to payment application devices, Cenex has all of its  2,800 sites on a compliant device. “It’s been a journey getting there,” he said. “But I think as folks learn from things we’ve done, things your organization has done, the industries have done, the process moves forward.”

PCI Facts of Life

Bob Russo refers to it as a modern day fact of life. “When was the last time you got on an airplane? Everything has changed,” he said. “It’s all about security these days.”

Here in the U.S. there are breach notification laws. “Any time there’s a breach everybody knows about it. It’s difficult to keep a customer from saying, ‘Maybe the reason I lost the use of my credit card for three or four days while I had to wait for a new one to come was because it got breached at my local convenience store,’ Russo said. “That’s the real, real issue here.”

To that end, the PCI Council has done a lot of good things for c-store merchants. It meets on a regular basis with a number of associations to receive input as to what their members are saying and doing. The council now has a merchant micro site on its newly redesigned Web site, www.pcisecuritystandards.org, where retailers can learn about the things they need to do to protect themselves.

Russo stressed that the areas retailers should be focusing on are not that technical. For example, breaches at point-of-sale (POS) terminals. POS systems are often breached because someone has opened it up and put a skimmer over it or something of that nature.

“Retailers need to get in the habit of taking a picture of a POS system when it’s first installed and keeping it safely in a file,” Russo advised. “Once every couple of months pull the picture out. Does it still look the same? For example, there were three wires coming out of it when you got it. Are there still three wires coming out of it? Those wires were all straight—is one of them curly now? A lot of this is just common sense, but you would be surprised at how many merchants still don’t know what the obligation is to be compliant, and the reason for that is that there is an education issue here.”

  • Secure_integrity

    There is no set of requirements in existence that will make a merchant or any business totally secure. For those organizations that question the effectiveness of PCI compliance making them secure they are clearly missing the point.

    PCI DSS compliance does not promise that an organization will not be compromised. It does say that they are doing the right things to maintain a minimum level of security to protect cardholder information. The standard is not agile enough to be able to address every vulnerability and exploit available. Instead the PCI DSS is built on best practices.

    An assessment should be able to determine if the organization is using these best practices consistently. An organization that practices good security resource (system, application, network, risk, etc.) management in a layered approach should be able to reduce the overall risk to their data.

css.php