Making LP PCI-Compliant

Hashing systems can significantly change how LP manages investigations

From Jan 2008 | By Liz Parks | Tags: Loss Prevention, LP Information

Retailers victimized by perpetrators of credit card fraud have found their brands tarnished – punished, in essence, because hackers stole credit card information from customer databases and then used those false identities to steal millions of dollars in goods.

The Federal Trade Commission, which is responsible for investigating data breaches, may launch an investigation into whether affected retailers contributed to that breach by violating state or federal laws. State attorneys general may also look into whether the retail company broke any laws.

Banks that have to reissue credit cards after a security breach have also filed lawsuits, arguing that if retailers fail to safeguard confidential customer information, they should have to pay for the losses they incur – including legal expenses and the cost to reissue cards.

To minimize the chances of future breaches, credit card companies have developed, and retailers are in various stages of adopting, the Payment Card Industry (PCI) Data Security Standard.

Loss prevention/retail security professionals face numerous challenges as they endeavor to become PCI-compliant. In many instances, those challenges are being met; several retail security experts say that data security will be stronger than ever as the result of PCI.

On the down side, however, some LP directors are still not aware of how much they may need to change their processes as their companies strive to become PCI-compliant. And change is absolutely necessary, industry LP professionals say, to avoid complexities that could handicap their ability to conduct effective credit card fraud investigations and prosecutions.

To comply with PCI requirements and retain permission from credit card companies to accept their credit cards as customers present them, retailers or their data host providers must build and maintain a secure network, make a concentrated effort to protect cardholder data, maintain a vulnerability management program, implement strong access control measures, regularly monitor and test networks and maintain a detailed information security policy.

“PCI is complicated,” says Joe LaRocca, vice president of loss prevention for the National Retail Federation, “and new rules and regulations continue to emerge. Many LP executives, even top executives, still don’t fully understand how PCI will impact their work or what they need to do to conduct investigations within the new procedures created by PCI. Every LP director needs to address how LP needs to change because of PCI.”

According to merchants that have been pro-active in responding to PCI, compliance will not prevent retailers from being effective in preventing, detecting, investigating or prosecuting credit card fraud, but it will significantly change the way LP manages the investigative challenges.

Important tool
The director of loss prevention for a medium-sized specialty retailer calls PCI regulations an important tool for protecting consumers. “Over time, they are likely to reduce the incidences of credit card fraud by making it much harder for thieves to gain access to personal and credit card data, either by stealing paper data or by hacking into online retail systems.”

Still, LaRocca points out that PCI compliance does not guarantee that a retailer is safe from data breach. He notes that NRF is calling for the banks and credit card companies to stop requiring merchants to store credit data in any manner. (Credit card companies typically require retailers to store credit card numbers for up to 18 months in order to manage chargebacks and other internal requests.) “If the goal is to make credit card data less vulnerable, the ultimate solution is to stop requiring merchants to store card data in the first place,“ LaRocca explains. “If you’re not storing any credit card data, there’s no incentive for the criminals to breach your systems.”

But because PCI requires that credit card and personal customer information be encrypted and then decrypted to provide the documentation necessary for prosecution, this executive notes that it can take longer for retailers to complete an investigation into credit card fraud.

One of the challenges that a large specialty retailer faced when it began its push for PCI compliance was figuring out how to tie an encrypted credit card number to a unique identifier that would enable the company to investigate a case of credit card fraud and then build that case for prosecution.

A company LP executive says the chain chose to develop its own solution for data encryption because it wasn’t comfortable with the integrated solutions available at the time.

The challenge of developing a proprietary encryption/decryption solution was met by “hashing” (also called “masking”) credit card data, a process that requires calculating an identifier unique to each card.

Basically, every time you hash the same credit card number, you will always get the same “hash value”; this means that a retailer can correctly identify all of the transactions that belong to that credit card.

But a hash value alone is not a complete solution for building an investigation; retailers must also be able to derive the original credit card number represented by the unique identifier.

The problem: you can’t work backward from the hash value because it is designed as a one-way encryption utility for security purposes. That means retailers have to store data two different ways.

“You have to have a hash value so you can aggregate transactions that belong to the same credit card,” says one industry source, “and you have to have the data stored separately in an acceptable encryption string so you can then derive the original credit card number from the encrypted cipher text.”

To ensure that they have the highest level of security around credit card data, the large specialty chain limits the number of people who have access to the decrypted credit card numbers.

If someone in its LP office is working on an investigation involving a credit card account, they have to build the case using the hash value. When they think they have a prosecutable case, they have to get legal permission to decrypt the data. To further ensure security, this retailer insists that two employees simultaneously perform the decryption procedure.

All customer information collected by one retail specialty chain is now encrypted and isolated from outside access; no credit card information is kept at the store level.

Once this chain has completed a preliminary investigation and confirmed that fraud is linked to a specific credit card, it proceeds to prosecution by making a formal request through its legal department to decrypt the data to produce the full credit card number.

Much more protected
In addition to software and process changes, retailers need to invest in hardware to enhance the physical security of their premises to become compliant with PCI regulations. The LP executive for the medium-sized chain notes that it had to improve access control systems, barriers, monitoring cameras and alarms, as well as ensure that its vendors’ systems were PCI-compliant.

“It’s not that data wasn’t protected in the past,” the executive says. “It’s just much more protected today than it has been. And it’s necessary because fraudsters have become more sophisticated.”

Although it is almost impossible to determine ROI when evaluating the cost of potential risks, retailers – just like consumers who purchase health or home insurance – insist it is a wise investment. And the encryption/hashing technology that PCI requires is being more widely viewed as a positive development.

Compliance with PCI “will not only protect customers and retailers from potential security and consequent fines,” says the LP executive for the medium-sized specialty chain, but it “also makes it harder for criminals to commit credit card fraud or identity theft.

“As time evolves, so does crime,” the executive says. “It’s the natural migration of things. And while today it takes longer to do an investigation, in the end we can achieve the same goal of catching the perpetrators and stopping the fraud. It’s a change, but we’ve been able to adapt.”

LaRocca believes that providing merchants with the option of keeping nothing more than a modified authorization code, issued at the time of sale, may make more sense than requiring merchants to keep reams of data for an extended period of time. “If all merchants took advantage of this option, credit card companies and their member banks would be the only ones with large caches of data on hand, he says.

“The bottom line is that it makes more sense for credit card companies to protect their data from thieves by keeping it in a relatively small number of secure locations than to expect millions of merchants scattered across the nation to lock up their data for them.”

Before the large specialty retail chain began developing its own data encryption/hashing system to interface with its off-the-shelf exception-based reporting system, it performed an internal risk assessment. The company found that it had too many unique credit card numbers in its database to leave them unencrypted.

“If someone had compromised the database there would have been nothing to stop them from getting all of the credit card numbers,” says the LP executive for the chain.

For a little more than a year, this chain managed its LP operations while being “completely blind” to credit card numbers.

“We were vulnerable to credit card fraud at that point, but we believed that protecting our customers’ credit card information was a higher priority.”

The Raw Data on PCI
Best Practices for Protecting Customer Data
Mobile has Potential to Change the Payment Paradigm
PCI Makeover
Regis uses compliance mandate to improve, expand data security
Locking Out Data
TransactionVault keeps customer information off Perkins’ merchant system

Making LP PCI-Compliant

Related Articles