As vice president of technology for Columbitech, a Stockholm, Sweden-based wireless security company, Tobias Englund understands the security issues that retailers face in processing and storing credit card information. And as a consumer, he has an appreciation of these issues as well.
By shopping at a DSW Shoes outlet in New York City for shoes for his mother earlier this year, Englund became one of 1.4 million consumers whose credit card information was compromised by a security breach. "I didn't want that card if my number got out," he said. "It might be sold to some [credit card theft ring] in Russia. So I shredded the card and got a new one."
Retailers have been dealing with credit card fraud for years, but the Internet and the explosion of digital technology have compounded the risks of accepting credit card payments. In 2003, credit and debit card fraud losses in the U.S. amounted to more than $1.5 billion, according to Datamonitor. Moreover, the issue has gained new prominence in recent months as a number of high-profile cases have come to light, the result of a new California law that requires consumers to be informed of any breach of security involving their credit or debit card information.
DSW was one of those cases, which publicly demonstrated the "potential for problems" at the retail level, noted John Briggs, senior vice president, chief financial officer and treasurer for Hy-Vee, West Des Moines, Iowa, and chairman of Food Marketing Institute's electronic payment systems committee.
Another retailer cited for lax credit card security is BJ's Wholesale Club, Natick, Mass. In June, BJ's agreed to settle Federal Trade Commission charges that the retailer's failure to take appropriate credit security measures represented an "unfair practice that violated federal law." Under the settlement, BJ's will implement a comprehensive new security program, which will be audited for 20 years.
Perhaps the granddaddy of security breaches occurred at CardSystems Solutions, Atlanta, a payment processing company where a breach put credit and debit card account information for as many as 40 million consumers at risk.
"It's pretty clear that organized groups operating outside the U.S. are targeting U.S. retailers and e-commerce merchants," said Joe Majka, vice president, fraud control/CISP for Visa USA. "We've recently seen them targeting [brick-and-mortar] retailers more than e-commerce retailers."
Responding to public concern, many states are following California's lead in enacting card security laws. A number of bills have also been submitted at the federal level to address risks to personal data.
And in another signal of the importance retailers are attaching to the data security issue, last week Retail Systems Alert Group, Newton, Mass., announced it will launch a new conference, the Retail Data Security Forum, to be held Nov. 2 to 3, 2005 in Chicago. "We want to help retailers identify potential vulnerable points in their current security strategy and help them prepare to respond in the event of a breach," said Brian Kilcourse, chief strategist, Retail Systems Alert Group.
Of course, many retailers are already heavily engaged in addressing their data security, not only for credit card information but for loyalty and other consumer and product data. In part, they are now required to meet certain criteria set by the card associations' Payment Card Industry (PCI) Data Security Standard. PCI is aligned with standards previously set by Visa (the Cardholder Information Security Program, or CISP) and MasterCard (the Site Data Protection, or SDP, program).
The PCI standard consists of 12 basic actions (see chart, this page) based on the following goals: building and maintaining a secure network; maintaining a vulnerability management program; implementing access control measures; and maintaining an information security policy. Retailers are expected to document their shortfalls and fix them. While not foolproof, the standards can make data criminals "go elsewhere," Visa's Majka said.
According to Majka, any merchant that stores, processes and transmits Visa card data must comply with the PCI standard. However, larger, level-one retailers -- those who process more than 6 million transactions per year -- have since last fall been required to show proof of compliance, using a third-party assessor or internal audit; a quarterly third-party network scan is also required.
Since June 30, e-commerce merchants in levels two and three (between 20,000 and 6 million annual transactions) have been required to validate their compliance. They can employ a self-assessment questionnaire but must do a quarterly third-party network scan.
Though brick-and-mortar merchants processing fewer than 6 million transactions annually are not required to validate compliance, "we recommend they complete a self-assessment questionnaire and do an annual network scan," Majka said.
One company that performs audits and network scans is nuBridges, Atlanta. "One of our clients is an 1,100-store retailer that had a breach," said Gary Palgon, director of product management, nuBridges. "They wanted to make sure every link from the POS to every point is secure."
A major point of vulnerability at retail stores is the wireless network. Columbitech's virtual private network (VPN) technology can prevent hackers from using the wireless network to gain access to internal systems. "Retailers need to secure any wireless device in the store so there are no holes," Englund said.
One of the biggest security mistakes retailers can make, Majka said, is to store all of the data contained in a card's magnetic stripe, including security codes that data criminals can use to counterfeit cards. While it is acceptable to store a consumer's credit card number, some payment card software allows retailers to "log and store everything," he said. Storing security codes is prohibited by Visa and would prevent a retailer from being PCI-compliant, he added.
To ensure they are not capturing forbidden data from cards, retailers may need to check that their point-of-sale systems are not in fact doing that. On its Web site, Visa has a list of software providers who are compliant with the card association's guidelines. "We've found a number of retailers that had [security breach] incidents that did not realize they were storing [security code] data," Majka said.
Any retailer that suffers a security breach without being in compliance with PCI standards faces a Visa-levied fine as high as $500,000 per incident, plus $100,000 per incident for failure to immediately notify Visa of any suspected loss or theft. In some cases, such as the CardSystems security breach, Visa and American Express have elected to cut ties with the company altogether.
Even if they are standards-compliant, if stolen credit information was used to commit fraud, a retailer could still be liable to legal action from other third parties. Following the industry standard, though, would help reduce the risk of legal liability, Majka said.
On the other hand, for everyday POS transactions, if a retailer follows all card acceptance procedures, including card swiping or imprinting, authorization, and signature capture, then it is not responsible for a fraudulent transaction. Online merchants don't have that guarantee, though if they subscribe to Visa's "verified by Visa" program, the issuing bank assumes liability for fraud, Majka said.
Are retailers in compliance with the PCI standard? "A high percentage of level-one retailers have submitted compliance reports to Visa," Majka said. Of those, "some are fully compliant, a large percentage are very close to full compliance." Visa is working with retailers falling short of compliance and their banks to resolve "outstanding items," he said.
FMI has heard that "the vast majority of retailers feel they are in compliance," said Stacy Fitzgerald-Redd, senior manager, supply chain and technology, for FMI. In addition, some smaller retailers who aren't required to have an outside audit "have gone the additional step and hired a third-party auditor." However, Hy-Vee's Briggs said he has heard that "quite a few" retailers have not filed compliance reports yet.
Joy Nicholas, principal consultant, Cascade Retail Technologies, Potomac Falls, Va., said she was told by a Visa executive that some retailers still keep old credit card receipts in boxes in the back of the store. "There are a lot of places [in the store and at headquarters] where credit card information goes and is stored that retailers may not even be aware of, but those are subject to security requirements," she said. "You have to know where the data is going and how it's captured and stored."
Hy-Vee, which runs more than 220 stores, has filed its own report to Visa validating its compliance to PCI standards. "We had a couple of software packages we need to upgrade," he said. "It was nothing really major. We think we covered all the bases." Hy-Vee is also hiring an outside auditor to check its compliance with the standards.
The dilemma for Hy-Vee, Briggs noted, is that Visa has not responded to the retailer's compliance report. "If I have a problem with a software vendor, I know who to call. But Visa has not made itself readily available to us," he said. In particular, Hy-Vee wants to know how flexible Visa is willing to be about security controls. "We may have a control that makes the system more secure, but if their guidelines are rigid, they might not [accept it]," he explained.
Asked if Visa is responding to retailer's compliance reports, Majka said, "We do try to address each submission. Most level-one merchants have pretty clear feedback as to where they are in the process." He advised retailers waiting for feedback to inquire about their status with their merchant bank, which can find out from Visa.
Beyond feedback on PCI compliance, Briggs also complained about a general lack of communication between retailers and the card associations. He said the PCI concept of a uniform industry standard, rather than individual card association standards, was "beneficial," and a reflection of retailers' concerns. But he would have preferred that the associations asked for merchants' input in developing the standards. "There's not a dialogue," he said. "I'd like to see something."
Majka countered that Visa has "a pretty good relationship, especially with level-one retailers." Those retailers, he said, now understand what is required of them, whereas "a year ago that was not the case."
Another bone of contention for retailers is the card associations' interchange rates, which determine the transaction fee retailers pay for each credit card transaction. Retailers have protested that the rates are too high, especially for thin-margin retail operators.
Interchange fees are designed in part to compensate the card associations for fraud, but even if fraud rates drop, Briggs wonders whether interchange rates will follow. "We've spent money to be compliant and I suppose there will be a reduction in fraud, yet I don't see better interchange rates. [The card associations] don't show much incentive to do something." Majka declined to comment about interchange rates.
Some observers have suggested that the card associations require consumers to provide a personal identification number (PIN) instead of a signature, which can be easily forged, when making a credit card purchase. Hy-Vee, like many food retailers, accepts PIN-based debit cards, so it is already capable of accepting PINs. In Europe, countries like France and England require PINs for credit transactions.
Majka said that while Visa USA is always looking at new technology to make transactions more secure, it has nothing new to announce.
REQUIRED DATA SECURITY ACTIONS
1. Install and maintain firewall configuration to protect data.
2. Do not use vendor-supplied defaults for passwords.
3. Protect stored data.
4. Encrypt transmission of cardholder data across public networks.
5. Use and regularly update anti-virus software.
6. Develop and maintain secure systems.
7. Restrict access to data by business need-to-know.
8. Assign a unique ID to each person with computer access.
9. Restrict physical access to cardholder data.
10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes.
12. Maintain a policy that addresses information security.
Based on the PCI standard developed by Visa and MasterCard.
For processing debit payments that require a personal identification number (PIN), retailers will need to be equipped with point-of-sale transaction terminals that are up to the latest industry standards for encrypting, and thus safeguarding, PINs.
The most common standard to which terminals adhere is the dynamic unique key per terminal, or DUKPT. What this standard did was to ensure that each checkout terminal would use its own encryption "key" for the PIN entered by the consumer, explained Joy Nicholas, principal consultant, Cascade Retail Technologies, Potomac Falls, Va.
In the past, all terminals in a store would use the same key, so "if you hacked one terminal, you hacked them all," she said. Some extensions for DUKPT compliance are ending no later than next February, she said.
The latest encryption tool is called triple data encryption standard (TDES), an improvement on the original DES formula. According to the Visa Web site, since January 2004, all newly deployed POS PIN acceptance devices (including replacement devices) have had to support TDES.
In addition, as of July 1, 2010, all transactions originating at POS PIN entry devices must encrypt PINs using TDES from the point of transaction to the issuing bank. Thus, by that date, all retailers must use terminals that comply with DUKPT and TDES to meet Visa's requirements. MasterCard has also established TDES and DUKPT criteria.