Public disclosure of data breaches, as mandated by law, and the Payment Card Industry (PCI) Data Security Standard are changing the way retailers protect sensitive customer information.
Retailers must be willing to adopt new technologies, policies and procedures to protect themselves from these increasingly frequent data breaches, which can be disastrous to brand reputation.
Retail organizations maintain records for their customers. When the information falls into the wrong hands, or has the opportunity to be extracted, viewed, captured, or used by an unauthorized individual, it constitutes a data breach.
Most states have laws that require disclosure of data breaches: The federal government may soon enact legislation. With more disclosure and public notification laws, the reported incidence of security data breaches is growing. These public disclosures can have a profound effect on the company brand, the trust and loyalty of customers, and eventually the bottom line.
The Payment Card Industry (PCI) Data Security Standard (DSS)
The PCI/DSS describes 12 detailed requirements organized into six groups. These security requirements apply to an organization’s system components. The six groups of the PCI DSS are:
–Build and maintain a secure network
–Protect cardholder data
–Maintain a vulnerability management program
–Implement strong access control measures
–Regularly monitor and test networks
–Maintain an information security policy
–Trend highlights in the retail industry
The average retail company stores data both electronically and on paper, all of which must be protected. When analyzing the “business” category, which is 33% of all data breaches across all industries, retail has second highest number of incidents but the most records compromised of any sub category.
According to research conducted by infosecurityanalysis.com and verified on the Perimeter eSecurity Network, retail company records from 2000 to 2007 totaled 98,035,330 — equal to about one third of the U.S. population.
The greatest exposure and loss of sensitive data is in the form of data breaches, most often caused by hackers, theft and malicious employees. Credit-card information was more than 99% of all data compromised in retail security breaches, although this was usually accompanied by additional information making it of “high value.”
When analyzing the retail records compromised by breach source, theft is the leading category. Moreover, nearly all records are compromised while the data is within the walls of the establishment.
Based on many case histories, large public companies that experience a security breach appear to fare better than small merchants with relatively minor long-term impact on their stock value. Many small companies have been known to go out of business because of the hard and soft costs associated with recovering from a security breach
Lessons learned: The TJX Companies and Hannaford Brothers
The TJX Cos.’ experienced an “unauthorized intrusion” into its computer systems that process and store customer transactions including credit card, debit card, check, and merchandise return transactions. The company discovered the intrusion in mid-December 2006.
Transaction data from 2003 as well as mid-May through December 2006 may have been accessed. After numerous lawsuits and untold negative media attention, an InternetNews.com article estimated TJX expenses at $500 million to $1 billion.
In March 2008, grocery chain Hannaford Brothers had a security breach affecting all of its 165 stores in the Northeast, 106 Sweetbay stores in Florida and a smaller number of independent groceries that sell Hannaford products. Credit and debit card numbers were stolen during the card authorization transmission process, but no personal information was divulged.
A company official stated that malware loaded onto Hannaford servers allowed attackers to intercept card data stored on the magnetic stripe of payment cards as customers used them at the checkout counter. The attack resulted in card data being transferred overseas and resulted in 2,000 known cases of fraud.
The attack was successful despite the fact that Hannaford is compliant with the PCI DSS and undergoes an elaborate examination and certification required by credit card associations.
Reducing your risk
Retailers tend to lack adequate security measures that would prevent data leakage or compromise as well as knowledge of how to respond to a breach. Each retail organization has different needs based on its unique operations to maximize its security.
A combination of policies, procedures, training and technology aligned with a layered security approach and risk-based analysis is available to mitigate a broad range of risks. This would reduce the number of data security breach incidents, save money and maintain customer assurance, employee morale and shareholder confidence.
An on-demand security-as-a-service approach can provide an affordable, layered and compliant defense for retailers of all sizes. Retailers evaluating this approach should fully vet all service provider candidates, especially due to the current economic environment.
Make sure that providers are stable and have experienced difficult economic times before. It is important that they provide the broadest range of services to take advantage of economies of scale, have a heavy regulatory focus and have been vetted by multiple independent third parties.
Be sure to check a service provider’s audited financial statements to make sure that they have been profitable for a while. Regulators are requiring many providers to achieve and maintain strong compliance. While there is an increase in expenses, there is a decrease in revenue.
Kevin Prince is chief architect at Perimeter eSecurity, a provider of on–demand security services to merchants, financial institutions and other businesses.