Over the past month, two Arizona-based food retailers — Bashas’ and Sprouts Farmers Markets — were victims of point-of-sale malware attacks that compromised the security of consumers’ payment card information.
Bashas’ did not specify where the “highly sophisticated piece of malware that has never been seen before in the industry” was found but said that it has installed additional security measures at its point-of-sale and enterprise systems.
Sprouts acknowledged that the malware was planted in the POS system at 19 of its 151 stores, affecting credit card terminals, but did not say how it was introduced; the chain removed the tainted terminals and also strengthened POS procedures and added protections in all stores. Neither chain elaborated on the nature of their security enhancements.
Notably, both chains professed to be compliant with PCI (payment card industry) data security standards, established for retailers by the major card issuers, at the time of their breaches. Since being compliant did not prevent the breaches, both were compelled to install the additional security protections for customer information.
In order to achieve PCI compliance – a requirement for taking payment cards — retailers have to follow a series of steps intended to safeguard the sensitive card data that they process. Yet PCI compliance, as these and other cases have demonstrated, provides no guarantee of protection against data breaches.
The key lesson for retailers is that data security is much more complicated and demanding that PCI compliance alone.
For one thing, being PCI compliant at any point in time does not mean that a month, a week or even a day later the retailer is still compliant, given changes made to its IT infrastructure in the mean time, noted Walter Conway, a San Francisco-based Qualified Security Assessor and manager of 403 Labs, Brookfield, Wis.
“Just because you’re compliant on a particular day, that doesn’t mean that a week later someone hasn’t added a new server or put in a wireless network or done something to jeopardize compliance,” he told SN.
Indeed, maintaining PCI compliance — and with it a minimal level of data security — requires ongoing vigilance, including reviewing daily log data. “A lot of times evidence of the breach was right there in the logs and no one was checking them,” Conway noted.” But these checks may be neglected when an employee is out sick or on vacation.
Other periodic checks need to be made, such as security scans and firewall reviews. “PCI compliance is the gift that keeps on giving,” Conway said. “You can’t say, ‘Oh, I’m done for the year. It’s an ongoing daily, monthly quarterly, six-month ongoing requirement to remain compliant.”
And even when retailers meet PCI requirements faithfully throughout the year, they still can’t assume their networks are secure. PCI’s mainly serves as a data protection standard – keeping sensitive card data away from hackers – but sets a “low bar” for overall enterprise security, Conway warned.
He pointed out two examples in which PCI compliance can fail to protect card data. One, if a retailer has a rogue insider with access to data. “There’s no protection against that,” he said. The other is when hackers are able to install a data “skimmer” at the POS. While PCI offers guidance on how to physically inspect POS equipment for suspicious activity, it has no requirement to do so — something Conway advocates for the next version of PCI (3.0) when it is released this fall.
The upshot: Retailers need to go beyond PCI requirements to secure their store systems, as Bashas’ and Sprouts have apparently done.
One such enhancement is point-to-point encryption (sometimes called end-to-end encryption) of card data from the moment a card is swiped until it reaches a secure destination at the processor or bank. In SN’s new State of the Industry Report on Supermarket Technology, just under 40% of respondents said they are using end-to-end encryption.
Aggressively reducing PCI scope via encryption — in effect, putting data out of harm’s way so it’s not subject to PCI rules — is one of the best ways to become secure, said Conway, adding that this can also be accomplished by replacing data with “tokens” — or tokenization.
However, he said, no matter how useful the technology, data security “comes down to people.” I agree — in the end data security will come from having employees who use common sense and have awareness of potential weaknesses.
|Suggested Categories||More from Supermarketnews|