Dangers of data
Written by Glynn Davis
With IT budgets heavily squeezed, any capital expenditure on projects without an obvious return on investment (ROI) are a tough sell to retail managements. Falling into this camp is PCI DSS compliance, which is akin to an insurance against possible future security breaches.
“It is like paying for a taxi to drive behind you, just in case you break down, suggests Kevin Burns, solutions architect at BT Expedite. But despite this prognosis, he still believes, along with the majority of people in the retail industry, that it is essential to comply with PCI DSS because the cost implications and possible brand damage caused by a major breach could spell big trouble.
Mike Bielinski, CEO at Vodat International, says: “Customers will not want to risk transactions where there has been a security breach and that will have a direct effect on sales particularly when these events are given high profile in the media. The cost of repairing that damage is more than just the fixing of processes and systems.”
Tim Allitt, head of sales and marketing at SecureTrading, agrees: “The harsh reality remains that the onus is on retailers of all sizes to comply with the PCI DSS regulations and it is retailers who face the cost of non-compliance - in terms of heavy fines and withdrawal of card acceptance services.”
It is therefore surprising that a Verizon survey last year found 71 per cent of retailers’ stored payment card details are in unencrypted format, and that just 21 per cent of merchants were meeting PCI DSS standards.
According to Burns such statistics can easily be misunderstood because all the major retailers are encrypting their data and they are all fully compliant. The bulk of transactions and data within the retail sector are therefore being handled in a compliant manner. The surveys like that of Verizon merely highlight the ongoing non-compliance of the very large number of small (low-volume) operators.
The problem for these smaller players – who are required to undergo self-certification for PCI compliance – is the complexity of the PCI paperwork and the difficulty understanding the ‘scope’ of PCI within their businesses. He recommends: “Working on reducing scope by taking out data from parts of their businesses where it cannot be justified.”
Alan Stephenson, co-founder at Phoenix Managed Networks, believes another problem for the smaller non-compliant retailers has been their misguided belief that buying a PCI-compliant payment terminal is sufficient for them to be compliant. With this mindset, problems have started to occur as they begin to use broadband networks to deploy these terminals rather than buying extra fixed lines.
“As soon as they move from standalone devices on to a new configuration with terminals sitting on IP networks then the scope changes,” says Stephenson, adding that Phoenix has developed a managed solution involving two LANs that enables a “lock-down” on which devices have access to the sensitive card payments data.
What has been helping retailers – of all sizes - is the development of new solutions for PCI compliance. Ravi Bagal, vice president and managing director of retail and distribution at Verizon, says: “Until recently the solutions were not that good. Newer technologies make it easier and so for [things like] wi-fi in-store to be compliant then these new solutions in the market are much better for enabling retailers to comply.”
Burns agrees, citing the emergence of end-to-end encryption (now called point-to-point) as a “game-changer as it changed the scope” for retailers. And when the payments data is required within the business for the likes of CRM or loyalty programmes then there are now ‘tokenisation’ solutions to make this possible.
David Nunn, chief technology officer at ReD and committee member of the PCI DSS Standards Council, says: “An industry has grown up around PCI and tokenisation has taken off as it can help with the storage of sensitive data and it makes it a lot easier to design a system that is PCI-compliant.”
He suggests a number of businesses are re-engineering their systems with PCI and security as the key drivers of this change. Gary Clark, vice president of EMEA at SafeNet, suggests that the more progressive merchants are now regarding PCI compliance as simply the first step in securing all the data that is used within their organisations.
They have recognised the danger from “having a lot of personal data - beyond that of credit card details – floating around their businesses that could be used maliciously”. PCI is only so good at protecting a business from breaches.
Nunn agrees: “PCI is not foolproof. It’s simply a point in time. The day after the QSA (Qualified Security Assessor) issues the certificate then you could get breached. It is by no means a guarantee of safety.”
“PCI is a starting point, which people only did because they were forced to do it. But we are now in an era of regarding the securing of data as making good business sense,” explains Clark, adding that retailers who used encryption on only their payments data are now – cost-efficiently – leveraging it across all data types.
And Clark believes there is a “quantum change” afoot in the deployment of encryption as new cloud-based solutions will inevitably open up the market to smaller merchants. “We assume the likes of Verizon will be issuing cloud-based services in the future so it could be easier for those [smaller] guys who thought it too expensive to encrypt in the past. Retailers simply need to feel they have the encryption keys and it does not matter if all their customers’ data is held by cloud-based operators,” suggests Clark.
Cloud is certainly being investigated and a special interest group has been set up by the PCI Standards Council, according to Nunn, who says “cloud computing is becoming a lot more popular” and so the group will look at how, with payment applications being hosted in the public cloud, the cloud providers can adhere to PCI.
While such solutions are some way off being incorporated into the Council’s standards they are at least being looked into, which is a sign of the continued evolution of PCI compliancy. This will hopefully help bring all retailers into the fold and not just the larger operators who have been the first to recognise the benefits of securing sensitive data.