Best Practices for Protecting Customer Data

The percentage of PCI-compliant retailers continues to rise, yet compromised credit accounts continue to make news. In fact, two of the largest breaches were committed against PCI-certified companies Hannaford and Heartland, so PCI compliance is clearly no silver bullet providing absolute protection of sensitive customer data in the new world of wireless and public networks.

The NRF CIO Council, working with ARTS and David Taylor of the PCI Knowledge Base, has posted 25 best practices that can help retailers secure customer data and become PCI certified. These best practices were based on hundreds of hours of anonymous interviews and sharing of success stories from implementers. Several key best practices that retailers can implement that will reduce their risk of a security breach are highlighted below.

Conduct an enterprise application compliance review. The principal requirement for controlling access and securing data is knowing exactly what data is stored where. Therefore, the first best practice is to conduct an enterprise application audit that identifies and locates data designated as confidential. The audit must document which applications use confidential data — a big job, since most retailers have huge application portfolios and confidential data is most frequently stored in older applications.

The results of such an audit become your foundation for protecting customer data and determining which other PCI best practices are right for your company. Further, this audit will help you prepare for the Payment Application Data Security Standard (PA-DSS), which requires any application that uses confidential data to be certified conformant by July 1, 2010.

Pilot data tokenization solutions. Tokenization solutions replace credit card numbers with meaningless numbers that have no black market value. Sounds easy, but it is a real data management problem. Token numbers are assigned, and the relationship of the real card number to the token must be stored in the most confidential manner and location. Confidential data must then be purged from all existing locations using a semi-automated process to find and replace the confidential data in applications that used these numbers.

Tokenization significantly reduces the attack surface of the retailer, as well as the cost and effort needed to demonstrate PCI compliance. When combined with network segmentation, confidential data can be isolated and access to this data much more effectively controlled. Companies like MerchantLink, EPX, Paymetric or Shift4 offer tokenization solutions.

Implement end-to-end encryption. Encrypting card data at the point of transmission from retailer to payment processor (as required by PCI-DSS) has proven inadequate because it allows hackers to steal data as it travels through the retailer’s application from card swipe to point of transmission. End-to-end encryption begins when the card is swiped, and data remains encrypted through the entire payment process.

Secure card-readers make this solution possible, and ARTS UnifiedPOS version 1.12 includes support for secure card-readers and end-to-end encryption. This method of encryption offers additional protection to the retailer and goes beyond PCI requirements. MagTek, SEMTEK and Veriphone are among the vendors offering true end-to-end encryption and secure readers.

Over the next few months, NRF and ARTS will continue to provide actionable information that will enable retailers to go beyond PCI compliance in securing customer data. We will expand our PCI best practices with a focus on updates to the audit points and new regulations such as PA-DSS and PIN Entry Device (PCI-PED) security requirements.

ARTS and MagTek will present a webcast on achieving maximum protection for customer data on April 29. Register to attend at www.nrf-arts.org and learn how to protect your data and your business.