Maintaining Vigilance

A lot of retailers breathed sighs of relief when the most recent PCI compliance deadline passed last month. But merchants shouldn’t become complacent, payment security experts warn.

“PCI compliance is an on-going procedure,” says Gayle Hoskinson, director of merchant compliance and interchange for Heartland Payment Systems, a national payments processor based in Princeton, N.J.

“Once in full compliance, it is critical for retailers to stay in full compliance,” adds Todd Davis, CEO of Lifelock, a firm that helps merchants prevent identity theft.

Even if retailers are confident that their payment security systems meet the most rigorous standards, those standards are constantly evolving. And as retailers add new functionality or update software within their systems, they need to take a look at how these changes impact security systems and if new vulnerabilities have resulted.

“Every time a retailer updates a software program, it is creating a new portal for a hacker to get in,” Hoskinson says. “Additionally, every time you change employees, there are new passwords that need to be changed and monitored.”

Most retailers understand the importance of constant vigilance. “As technology develops and things progress, we have to stay up on the latest developments,” says Mark Bouchett, operations manager for Burlington, Vt.-based Homeport, a home goods store. “Hackers tend to figure things out, so you have to stay ahead of them.”

Keeping customers’ trust
Taking extra measures to assure security is critical, not only to avoid fines from the card associations but also to provide customers with peace of mind.

“You can forget about the fines or any remediation you’ll have to pay,” says Bob Russo, general manager of the PCI Security Standards Council. “The worst thing that can happen to you is that customers will walk away from your store because they can’t trust you’ll protect their data.”

Making sure customers feel safe requires a major commitment. “We’re trying to get retailers to move away from having a ‘check-box mentality’ — where they just look to make sure they’ve checked off all the right boxes — to being aware about data security and understanding what is really needed to protect their customers,” he says.

The focus at Homeport is even more basic, according to Bouchett. “If we can get people to use their cards at our store with confidence that we will not put their identification information at risk, we are doing our jobs.”

Part of the monitoring includes taking a close look at passwords used by outside vendors, Hoskinson says. Many use the same passwords to access the systems of multiple customers, making it easier to execute system upgrades and changes. The problem with that, she explains, is that if the password is compromised in one system, a hacker could gain access to dozens of other retailers’ systems.

To avoid this situation, retailers should make sure their vendors are using unique passwords. Additionally, retailers should invalidate the passwords after the work is completed and the vendor no longer needs access to the retailer’s system, Hoskinson says.

Examining employee log-in data is also critical to security, Russo says. “It’s not just enough to make sure you require employee log-ins. You have to examine who is logging in and what they are doing.”

Retailers should also examine how long they are storing data. “Unless you do recurring billing, there is no need to hang on to the data for a long time,” Hoskinson says. It may not even be necessary to hold on to it for future chargebacks or returns. “Keep truncated card numbers, not the full numbers,” she says. “That is usually enough to identify the transaction in case of a dispute.”

Deciding how much payment data to retain and for how long is a decision each retailer must make. Bouchett says his company had to balance the need for security against concerns about customer convenience; as a result, Bouchett currently retains no payment data. In the event of a chargeback or return, the store requests the card number again or re-swipes the payment card. Some customers find that to be more burdensome, but they can be informed that the policy protects their security, he says.

Taking action
Heartland recently launched an end-to-end encryption technology program called E3. The system keeps card data encrypted throughout the processing network, not just at select points during the transaction flow. That way, if a hacker gains access to the data at any time, the information would be useless, Hoskinson says.

When making system upgrades, retailers should deal with reputable vendors who are included on the PCI compliant lists found on the Visa, MasterCard or PCI websites, Hoskinson says. Merchants should also conduct quarterly vulnerability scans to see if there are any open portals.

In January, the PCI Security Standards Council changed the lifecycle for standards from two years to three years. The change will give retailers more time to implement new standards, as well as give the council more time to gather input on the standards and implementation procedures from retailers, Russo says
.
It will also allow retailers to wait until January to begin implementing the standards announced in October 2009. Performing updates around the holiday season was difficult for most retailers, Russo says, and the change was made based on comments from retailers.

Still, following all the rules may not be enough. “Understand that being in compliance with PCI does not guarantee that data breaches will not occur,” Lifelock’s Davis says. “Develop and stick to an action plan designed to safeguard the data and outline actions in the event of a data breach. How will you inform affected customers? How will you maintain their trust moving forward?”