Ever since Hannaford Bros. experienced a massive data security breach in 2007, losing control of 4.2 million credit and debit cards, food retailers have been seeking to learn from the Scarborough, Maine-based chain's experience.
The first lesson from the Hannaford episode: Card numbers could be intercepted “in transit” — as they were being transmitted from the card-swipe PIN pad across the retailer's private network. The second lesson: Compliance with the five-year-old Payment Card Industry (PCI) Data Security Standard - Hannaford was PCI-compliant - proved not a sufficient defense against malware that could pilfer moving card data.
“I may be PCI compliant, but that doesn't mean I'm secure,” said Walt Conway, manager, 403 Labs, San Francisco, a qualified security assessor (QSA) and forensics investigator.
The PCI standard only requires data at rest in a retailer's stores or headquarters to be encrypted. But following its breach, Hannaford decided to encrypt card data in motion through its private network as well, from the moment a card is swiped at the PIN pad, rendering it useless to hackers.
Hannaford has declined to say how far into its processing network the card data remains encrypted. But this approach to data security, known as end-to-end encryption (E2EE) or, more generally, point-to-point encryption (P2PE), has become a much-discussed security technology, one that is starting to be adopted by food retailers intent on not becoming the next highly publicized breach case. However, the technology is still in the early days of implementation and awaits industry standards for testing and validating its effectiveness.
Moreover, regardless of the technology used to secure data, it needs to be married to vigilant business practices, say security experts.
Protecting card data in transit is not the only security area of concern for retailers. Over the past year, there have been several high-profile attacks on payment terminals at multi-state chains like Aldi and the Michaels craft stores. POS systems account for 76% of the assets targeted by hackers, according to Trustwave's 2011 global security report.
Other recent attacks have focused on email addresses, such as the breach at Epsilon Interactive, a database services firm with retail clients, and at Canadian retailer T&T Supermarket, a division of Loblaw Cos. Overall, data breaches in the U.S. were up 10% in the first quarter of 2011 compared with the same period in 2010, according to the Privacy Rights Clearinghouse. Moreover, security experts see small and midsized companies as being particularly at risk.
In an effort to counter these trends, retailers are looking for help from such technologies as E2EE, as well as tokenization and EMV (chip and PIN) cards. In addition there is a new focus on the security needs of virtualized computing systems as well as the security issues raised by the growing use of smartphones as payment devices.
PLETHORA OF E2EE
Not long after the Hannaford breach, a variety of hardware and processing companies began offering E2EE services. In 2008, VeriFone Systems, San Jose, Calif., partnered with Semtek Innovative Solutions to offer the VeriShield Protect E2EE system. In August of 2009, the processor/acquirer WorldPay announced that it would market the VeriShield system, and two months later processor/acquirer Chase Paymentech said it would do the same.
Other vendors offering encryption systems include Fifth Third Processing Solutions, First Data and RSA (with a joint solution), Hypercom and Heartland Payment Systems. Connected Payments, a processing system for small retail chains and independents that includes encryption, is offered by StoreNext Retail Technologies and MTXEPS, in concert with payment processor partners.
In January, WorldPay announced that McKeever's Enterprises, which runs nine Price Chopper stores in the Kansas City area, would be the first food retailer to use the VeriShield E2EE system. After a 30-day pilot, McKeever's installed the system in all of its stores. Three other food retailers have also deployed the system, said Ian Drysdale, WorldPay's business development senior vice president.
The system encrypts credit card numbers and magnetic-stripe data at the VeriFone terminal — at the moment of swipe or manual number entry — and keeps that data encrypted until its arrival at WorldPay, McKeever's card acquirer and processor, which is connected to the card brands. The VeriFone terminals are equipped with a tamper-resistant security module (TSM) that protects the encryption keys from tampering. “If you attack it with a screwdriver, it automatically destroys the encryption technology,” said Drysdale.
“The secure handling of customers' credit card data is of great importance to us,” said Tim Cosens, director of information technology for McKeever's. “A breach in security could be devastating. We know that we are doing everything we can to protect them from fraud or identify theft.”
At the same time, McKeever's is protecting its stores' brand image. “The last thing merchants want is word spreading that it's not safe to use credit cards in their stores,” Cosens said.
Since installing the system, “data security has been substantially increased,” Cosens said, compared with grocers that use token-based systems or, especially, “those who have taken no more than the basic PCI-required security measures.”
Cosens pointed out that the system allows McKeever's to avoid having credit card data stored or transmitted in its network, which limits its risk and makes PCI compliance easier. “We know that even the best encryption methods won't eliminate the need for PCI compliance,” he said. “But with the E2EE [system], we will no longer physically transmit any card data in any of our systems, which will greatly reduce our PCI scope and its associated costs.”
According to Drysdale, the cost of the E2EE system is a per-transaction fee in the range of the fee charged for processing the transaction. McKeever's expects to pay for that through a 70% to 75% reduction in security costs tied to less complex PCI audits and compliance,” said Cosens. “Plus, as data hackers become more savvy, we won't need to continue to invest as much in building higher walls around our security measures,” he added. McKeever's is also protecting itself from the potential of “very substantial fines and penalties” from the credit card companies when security breaches take place.
When WorldPay approached McKeever's about using the E2EE system, the retailer happened to be working on upgrading its POS systems. As part of the deployment, WorldPay swapped the retailer's VeriFone transaction terminals with similar devices programmed for the E2EE service. The current generation of VeriFone terminals already contain the tamper-resistant security module, but may still need the encryption algorithm, said Drysdale.
Cosens preferred an E2EE system that employed hardware as well as software at the outset, ensuring that “the data is encrypted the entire time,” rather than a software-based system. Software encryption solutions are “more susceptible to attack” than tamper-resistant hardware systems, said Scott Laliberte, managing director for Protiviti, a consulting and auditing firm based in Menlo Park, Calif.
In addition, the WorldPay system uses “format-preserving encryption,” which communicates encrypted data in the same format as a card number. This method “works seamlessly with our POS system,” said Cosens.
During the test phase, McKeever's worked with WorldPay to enable certain BIN (bank identification number) ranges on its payment terminals for Electronic Benefit Transfer (EBT) cards. “After the first store, this problem was solved, and it has been smooth sailing since,” Cosens said.
While a “big fan” of P2PE, Conway of 403 Labs pointed out that to date there are no independent labs employing standard tests of P2PE systems. “P2PE is still in its early days,” he said. “Merchants are doing a lot of trusting - there's not hard third-party evidence.”
Conway also advised retailers using P2PE to “make sure it works in your store environment,” especially existing POS equipment, and explore what happens upon changing payment processors.
He also warned that P2PE doesn't apply to any systems not between the beginning and end points of encryption, “It can reduce PCI to a minor issue but not make it go away,” he said. Card data that remains within a retailer's enterprise - something that Conway advises strongly against - remains within PCI scope.
Last year, the PCI Security Standards Council, Wakefield, Mass., which oversees PCI and related standards, published an “Initial Roadmap” on P2PE technology and how it related to PCI compliance. The document acknowledged that P2PE systems may reduce “the number of system components to which [the PCI standard] applies,” while not eliminating the need to maintain PCI compliance.
However, the document also noted that methods for validating P2PE systems and implementations remain “immature,” pointing to the need for “standardization of the technology and validation processes to ensure consistent and robust security practices are followed.”
The council is in the process of “designing and delivering validation requirements” that will cover the various types of P2PE systems, said Bob Russo, the council's general manager. The first phase of the process will provide criteria for validating hardware-based encryption solutions, such as WorldPay's, for merchants that manage encryption through their processor or acquirer. “We are targeting fall for the release of this criteria,” he said.
Drysdale believes that WorldPay's E2EE system would have prevented a breach like the one that occurred last year at Aldi stores in 11 states; according to an AP report, altered payment terminals were illegally placed in the stores, exposing names, account numbers and secret codes. Under the E2EE system, if a different terminal is used and an unencrypted transaction is transmitted, “that transaction would fail and we would be alerted,” he said.
An Aldi spokeswoman said that the company was PCI compliant at the time of the breach last year and continues to be PCI compliant, but she declined to discuss its data security measures.
Incidents like the Aldi breach highlight the need for ongoing vigilance when it comes to POS security, said Russo. “Point of sale continues to be a security hotspot.”
The PCI Security Standards Council addresses payment terminal security in a number of ways, including the PIN Transaction Security (PTS) requirements. The requirements outline specific physical and logical security requirements for these devices. In addition, the council has produced a skimming prevention paper to help merchants identify altered or tampered devices. “We talk about how technology is not enough when it comes to security — people and processes are critical,” said Russo. “So make sure your employees are aware of these types of threats and that they are not leaving POS devices unattended and open to theft or tampering.”
Conway also contends that retailers need to train staff to notice when payment terminals look different and to check network logs for unusual activity. “PCI is a business issue, not a technology issue,” he said. “You need the IT and business sides working together to come up with good, secure practices.”
While P2PE systems are focused on disguising the card data moving through retail networks, Cisco, San Jose, Calif., is concentrating on securing the retail network that carries the data as well as systems that store it, creating an “end-to-end PCI-compliant architecture,” said Lindsay Parker, Cisco's global retail industry director.
The architecture includes around 30 products, such as the routers and switches that make up a retail data network, wireless, video surveillance and voice systems, as well as virtualized data center systems. “We configured the products to meet PCI guidelines,” Parker said, adding that Verizon Business was hired to independently vet their compliance.
This week Cisco is publishing a comprehensive retail design and implementation guide to help retailers assemble a PCI-compliant architecture. Cisco has also commissioned professional artists to create PCI-inspired works of art, including paintings, sculpture and multi-media, to raise awareness of payment card security. The results are displayed at Cisco's corporate headquarters in San Jose.
One retail user of Cisco technology is Spartan Stores, Grand Rapids, Mich. To comply with PCI regulations, Spartan installed Cisco's IP video surveillance cameras to capture video of the servers used to process credit card data around the clock, identifying people who had access to the servers, according to a case study published late last year by Cisco. “To meet the requirement, we needed to store 90 days of video with fluid motion and clear picture quality for positive identification,” said Tim Bartkowiak, director of security and loss prevention for Spartan, in the case study.
Cisco's move to help retailers assemble a PCI compliant architecture resulted from a survey of 500 IT executives, including some from retail companies. Seventy percent of all respondents said that their organizations are more secure because of PCI compliance. But 51% said they still feel PCI compliance is burdensome, an issue the PCI-oriented systems are meant to alleviate.
The biggest PCI pitfall that Protiviti's Laliberte sees for any retailer is keeping more stored card data than necessary. “They are keeping data for 60 days or six months when they may need it for two days or a week,” he said. “Our recommendation is to store the least amount possible to support your business.” He also suggests moving to a tokenization scheme for stored data, maintaining a token that represents the data but is meaningless to hackers, with the actual data residing at a secure third-party vendor. “Tokenization costs money but you can lower your risk and cut your PCI compliance costs.”
Conway goes a step further, saying that retailers should store “no card data on any computer. There's no need.” Even Visa, he pointed out, urged retailers last year not to keep full card data in their systems and instead use truncated, disguised or masked card numbers for dispute resolution. Conway also supports the use of tokenization to reduce PCI scope, though it, like P2PE, is still awaiting industry standards. He also pointed out the need to monitor PCI compliance on a continuous basis, checking daily network logs, doing quarterly scans, as well as annual validation. “PCI is the gift that keeps on giving,” he said.