Time to comply
Written by Dave Adams
Many, perhaps most UK consumers are now extremely dependent on their cards. Consequently, security around card payments is a primary area of interest for both retailers and criminals.
In the digital world nothing is ever completely secure. The best retailers can do is try to reduce risks. The work retailers have put into reducing card fraud has produced positive results, but the battle is not yet won. There was a 14 per cent increase in credit and debit card fraud losses during 2012, according to the UK Cards Association. Much of this rise is thought to have been driven by low-tech scams, in which consumers are duped into giving criminals their cards, PINs or financial passwords. Criminals have been driven to using these risky physical methods by the successful introduction of chip and PIN and by the efforts retailers have put into complying with the PCI Data Security Standard (PCI DSS).
Total UK card fraud losses were £388 million in 2012, up from £341 million in 2011, but well down on the 2008 peak of £610 million. In any case, the figures are perhaps not so worrying for the average retailer as is the nightmarish thought of their PoS or data storage systems being the ones that are hacked.
Figures from Verizon’s 2013 Data Breach Investigations Report, based on analysis of over 47,000 security incidents and 621 data breaches worldwide, showed that 86 per cent of attacks on corporate systems had no internal element; and more than half of those attacks could be attributed to organised crime. Such organisations are attracted to stealing payment card data, says Chris Novak, global managing principal of investigative response at Verizon, because it is easily and quickly converted into cash. They also have the resources to spend on developing more advanced malware and attack techniques.
PCI standards continue to evolve – the PCI Security Standards Council (SSC) is currently working on the latest triennial updates – so attaining and maintaining compliance is an endless task. It is difficult, because many retailers’ networks are such a complicated mess of disparate systems, many of which may hold cardholder data. Verizon’s figures also show that many victims are smaller retailers, presumably because it is often harder for them to achieve and maintain best practice in security.
Whatever the size of the retailer, attaining compliance can be a complicated, lengthy and expensive process, so many retailers now outsource all or some of the card payments process to payment services providers (PSPs).
Toy retailer The Entertainer has used payment services provided by YESpay for four years. “The idea was that all the transactions would be sent securely to their network so no customer data touched our network,” explains Ian Pulsford. “That effectively removed our stores from scope for PCI.”
By then the company’s website was already hosted by a PCI-compliant service provider. “We also made some changes to other systems in house: the stores were still sending credit card details back here [to HQ] to be archived securely,” Pulsford continues. “We changed our process to make sure no customer data was at risk. We also use PCI-compliant processes in our call centre.” Computers within the IT department at head office from where staff can remotely access PoS systems have also been securely partitioned.
A growing number of the largest retailers, which would have been much less likely to outsource payments in the past, are also now looking to work with service providers. “I see it as a positive move to protect cardholder data,” says Jeremy King, European Director at the PCI SSC. “But with that comes some challenges.” He says the PCI SSC will publish new guidance on working with PSPs later this year, in response to requests from retailers.
But retailers working with a provider can expect to be able to access more advanced technologies. Akif Khan, director of strategic initiatives at online payments specialist CyberSource, highlights the trend towards use of tokenisation, whereby a service provider stores credit card details for the retailer, which then uses a valueless token to authenticate the transaction. If those tokens are stored in a central repository this can enable service enhancements like one click purchasing via multiple service channels.
Elsewhere, the PCI compliant call recording solution developed by Aeriandi, which removes cardholder data from recordings of customer phonecalls, can now be hosted in the cloud, thanks to a partnership with secure cloud services provider Adapt. Aeriandi is currently deploying such a solution for a high street clothing brand.
Even if the retailer does outsource much of the process it still needs to be able to prove to a security assessor that it can provide all the necessary security coverage on those other occasions when it may be necessary to import some cardholder data into its own systems. And it is still possible to get in trouble if the technology has not been implemented correctly, meaning the retailer is still unwittingly retaining cardholder data somewhere in its systems. In 2012 the PCI SSC launched a Qualified Integrators and Resellers (QIR) programme to try to improve implementation and integration quality.
For a retailer which decides to keep PCI compliance in-house one key challenge is identifying all the places where cardholder data is held within its systems. Older PoS systems sometimes hold card data in unencrypted formats. There may also be security vulnerabilities within processes associated with payment rather than the payments systems themselves – in the refund process, for example.
Retailers need to focus on keeping attackers out of their networks in the first place – and on locating and mitigating successful breaches as quickly as possible. Verizon’s figures show that 62 per cent of 2012 breaches studied took “months” to discover, while four per cent took “years”. In 22 per cent of cases it took “months” to contain the breach.
Focusing on the basics such as log management is a good first step, says Verizon’s Chris Novak. He also reiterates the importance of employee education – and the value of practising recovery from an attack. “Many organisations don’t do basic breach simulations,” he says. “If a breach does occur, mitigation takes too long, because the organisation has never practised it.”
The most effective approaches towards achieving and maintaining compliance are based on a three-fold approach, says King: people (appropriate training), processes (improved in line with PCI DSS and supporting guidance from the PCI SSC); and technology. Akif Khan warns against defining PCI compliance as just another IT project. “Where we’ve seen success in projects is where there’s C-level sponsorship, from a chief security officer or a chief information officer,” he says.
There has been some criticism aimed at the support and advice offered by the Qualified Security Assessors (QSAs) from whom retailers buy consultancy on compliance, or auditing services. “What one QSA thinks compared to another can really differ,” says Matthew Bryars, CEO at Aeriandi. “You might have one QSA who is a networking specialist and another who is an applications specialist. They’ll spend most of their time on the bit they’re most interested in.”
Compliance can be difficult and time-consuming, but once it is achieved, the company needs to advance beyond it, to develop an ongoing programme of reviews and enhancements to the security strategy. “If you think you’ve achieved compliance and then leave it at that there’s a high chance you’ll go out of compliance within a couple of months,” says Khan. “This really needs to be embedded culturally, with ongoing reviews. It needs to become part of the application development process.” He is encouraged by signs that some retailers are using PCI standards as benchmarks that can be applied, at least in part, to alternative payment methods.
Payments made using mobile devices and digital wallet methods are also bound to attract more criminal attention when more consumers use them. The card schemes have been developing encryption-based models for mobile payments, within which a mobile phone does not actually form part of the security architecture. But, as Stanley Skoglund, senior vice-president for payment systems risk at Visa Europe acknowledges, the sheer variety of mobile devices and growing number of alternative payment methods mean much more work will be needed here in future.
Further outsourcing of payments seems inevitable.
“The burden on the service providers will be increased, because instead of this data being held in millions of individual merchants’ systems, it will be in hundreds or thousands of service providers’ systems,” says Chris Novak. “So if there is a breach at one of those providers, what might have been a loss of one million or 10 million records could instead be hundreds of millions of records.” Retailers and card issuers would still have to shoulder some responsibility for that happening. Nor can they ignore the possibility of criminals finding another way to penetrate their own networks. As long as there are those willing to try to steal cardholder and other customer data, the work to secure it must continue.