News

Industry Standard Hasn't Prevented Recent Breaches

By Joseph Pereira
19-Apr-2008; Page A9

Despite efforts by the credit-card industry to force retailers to protect their customers' data, several recent security breaches suggest that current requirements aren't enough.

Hannaford Bros., a unit of Belgium's Delhaize Group SA, says it received a certificate on Feb. 27 stating it was fully compliant with the credit-card industry's security protocols. But that same day, the New England supermarket chain was informed by its card-transaction processor that there appeared to be a problem with its customers' credit-card accounts. The chain soon learned that data for 4.2 million cards may have been stolen.

Until now, most known retail-data breaches occurred at companies that failed to comply with steps mandated by a credit-card industry group called the Payment Card Industry Security Standards Council, or PCI, in Wakefield, Mass. The Hannaford attack -- and another disclosed last month at Okemo Mountain Resort, a ski operator in Vermont -- has prompted retailers to seek security systems well beyond PCI standards.

Hannaford last week announced the adoption of two such measures. The company installed a round-the-clock security monitoring-and-detection service provided by International Business Machines Corp. to track all user log-ins. The chain has also begun to encrypt all its customer card information immediately from the time the card is swiped at the cash register, so that data is scrambled all the way to the company's corporate servers, from where it is sent to the credit-card company. "PCI is a good place to start but retailers are going to have to go above and beyond PCI," said Bill Homa, Hannaford's chief information officer.

Says Bonnie MacPherson, a spokeswoman for the ski resort, which lost card data for nearly 50,000 customers, "We did everything we were supposed to." The company says it doesn't know whether the breach resulted in any theft.
Joshua Jewett, information chief at Family Dollar Stores Inc. in Charlotte, N.C., plans to beef up the cash register systems at about 2,500 of the company's stores by August with more data encryption than mandated by PCI. Both Hannaford and Family Dollar are purchasing security systems from Verifone Holdings Inc. of San Jose, Calif.

Until two years ago, retailers faced a cacophony of security requirements, with each of the major credit-card brands -- including Visa Inc., MasterCard Inc. and American Express Co. -- issuing their own set of standards. Then the credit-card industry established PCI, and consolidated the best data security practices into a single, unified code.

The compilation, called PCI Data Security Standards, requires such things as encrypting or masking customer data, regularly updating antivirus software, restricting access to card data to only certain authorized personnel and protecting stored information with firewalls, among other things.

Retailers that fail to meet the requirements are subject to fines.

In January, Visa announced that 77% of its largest U.S. merchants became PCI compliant in 2007, up from 12% in 2006. Compliance among midsize merchants grew to 62% last year from 15% the year before.

Credit card-related fraud grew to $5.49 billion in 2007 from $1.46 billion in 1997, according to industry tracker Nilson Report. Law-enforcement officials attribute the rise to new technological applications as well as increased participation by international organized-crime groups.

Bob Russo, PCI's general manager, says PCI believes its standards -- derived with input from more than 500 data-security specialists -- are adequate, but he adds that PCI is still awaiting the results of investigations into the Hannaford and Okemo breaches. "If there is something that's lacking in the standards, then we'll address it immediately," he says.

In both the Hannaford and Okemo heists, hackers attacked an area that previously had been thought impenetrable -- a company's private internal computer network. Many previous breaches involved wireless network systems.

PCI mandates that all transaction data sent over networks that are publicly accessible -- such as in coffee shops -- be encrypted, but it doesn't require that for transmissions over internal private lines.

At Hannaford and Okemo, hackers managed to install malicious software into the companies' private networks to steal credit-card information being transmitted to processors for approval.

"This kind of attack would not have been possible if the credit-card data had been encrypted," says Avivah Litan, a security analyst for Gartner Inc. in Stamford, Conn.

Michael Cherry, an online-security consultant, says companies can encrypt credit-card data at cash registers, which PCI doesn't require, at minimal cost. "You can be worry free for less than $100 per cash register," says Mr. Cherry.

Two companies that provide such technology -- called personal identification number pad encryption -- are courting new customers, playing up Hannaford and Okemo's vulnerabilities.

Verifone Holdings is promoting its VeriShield system, which was purchased by Family Dollar. A similar product, called MagneSafe, is offered by MagTek Inc., of Carson, Calif.

Rob Caulfield, chief executive of TrustCommerce, an Irvine, Calif., credit-data processor that works with MagTek's clients, says he knows of about two dozen retailers currently using MagTek encryption and about 300 others that "are queuing up to become clients."

Meanwhile, PCI has been upgrading its requirements for retailers as more information about vulnerabilities is gleaned from data breaches. In February, PCI required merchants to ensure that PIN pads are tamper proof and their credit-card data are rendered useless if they are opened. The requirement follows a theft last year where thieves stole PIN pads from Dutch retailer Royal Ahold NV's Stop & Shop stores in the Northeast U.S. and accessed customers' debit-card passwords.

As of June 30, retailers must install firewalls that prevent hackers from accessing internal company files through software programs that are exposed to the Internet, such as applications that handle online credit-card transactions. PCI also plans to toughen its standards in September in the areas of wireless transmissions, card-preauthorization procedures and software applications that handle credit-card data. "From all the data breaches we've seen, we're quickly learning that the point-of-sale is our weakest spot in the payment chain," says Mr. Russo.

Write to Joseph Pereira at joe.pereira@wsj.com

Maureen Farrell - Forbes Magazine
19-Sep-2007

When Yvonne Chu launched Kimera, her Brooklyn, N.Y.-based dress retailer, five years ago, setting up a system to accept her customers' credit cards was an afterthought. Already armed with a small business card from Capital One, she figured why not use the bank's credit card-processing services, too? "I needed it in a hurry," says Chu.

It took a few years, but Chu eventually realized she was leaving real money on the table. Today she uses New York-based Merchant Processing Services, which charges her a base rate of 1.61% on each bill, plus 20 cents per card swipe. That's down from roughly 2% and 23 cents at Capital One. Says Chu: "Every little bit counts."

Of all the demands of running a business, shopping for a competitive credit card processor might seem trivial. Yet a healthy dose of due diligence can go a long way.

In Pictures: How To Choose A Credit Card Processor

Take, for instance, a 120-seat restaurant that does roughly $2 million a year in sales--80% of that on account. Shaving just 1.5 points off of those processing fees equates to savings of $24,000 a year.

In the case of Visa and MasterCard (nyse: MA - news - people ), when a credit card is swiped, the transaction gets relayed--via an intermediary--to the credit card company, which then sluices the funds to the merchant's bank account. That middleman charges the merchant a fee--2% to 5% of the sale--for the hookup; meanwhile, the processor pays a fee to the credit card company. (American Express (nyse: AXP - news - people ) puts the money right into merchants' accounts, charging them fees directly.)

Letting your bank handle credit card processing may seem convenient--but that convenience comes at a price. Often, using one of the 400 third-party service providers is a cheaper way to go.

Of course, fees aren't the only consideration when choosing the right processor. Service and speed matter, too. Terms are negotiable (these guys want business), so knowledge is your best weapon. Here are some things you should be looking for.

Equipment. Credit card processing machines--which often come as part of point-of-sales systems--run between $300 and $800 apiece. (Sleeker systems involve software, too.) Vendors include Micros, Aloha and Squirrel, though some processing companies offer equipment as part of a package. Merchants also need a way to connect to the processor, via either a separate telephone line or the Internet.

Lag time. Another critical factor is the time it takes to get your mitts on customers' money. The lag can be anywhere from one to five days. Why the difference? Some processors have more efficient fraud-checking systems. Others try to eke out interest on the "float" (the reimbursement from the credit card companies) before depositing the funds into merchants' accounts. (That's why all processors must be sponsored by a bank insured by the Federal Deposit Insurance Corporation.) Obviously, the quicker you get the money, the better--and you may not have to pay more for faster service.

Fees. Generally speaking, a base rate of 2% on each bill is pretty good. Unfortunately, there is no one resource for comparing processing prices--and the fee structures are opaque at best. While third parties typically offer cheaper rates than banks, there are plenty of caveats.

Case in point: "nonqualified" rates on certain types of transactions. Fees on phone orders (where the merchant types the number into the system rather than swiping the card) might cost in the 5% to 8% range, for instance. Some processors may deem a wide range of charges nonqualified. Make processors spell those out before giving them your business.

Remember, too, that the processor must pay a fee to Visa and MasterCard, which typically charge 1.65% for a normal credit card transaction, says Dan Price, chief executive of Seattle-based Gravity Payments, a credit card processing company. So, if a processor offers a super-low base rate of 1%, watch out: The company is likely making up for that loss by larding on other fees--or perhaps by bumping up the rates midway through your contract.

Then there are termination fees. Typical processing contracts are one to three years long, and getting out early could cost you a few hundred dollars. Any more than that is probably too steep.

No matter how transparent, contracts will likely have some confusing language. To get a better handle on things, ask to see a typical monthly statement itemizing every transaction and its related fees.

Extras. Rather than deducting fees at the point of each transaction, some processors will bundle them and deduct the cumulative amount at the end of the month, streamlining your bookkeeping and leaving you with a little more cash on hand. Another potential perk: gift-certificate processing, which might cost another 25 to 50 cents per transaction. Not all processors will offer such extras, but it's worth asking.

Mathew Schwartz
28-Nov-2006

The PCI standard took effect on June 30, 2005, but companies have been slow to chase the compliance banner. What obstacles must payment card companies overcome to bring the standard to bear?

Remember June 30, 2005? That's the day the Payment Card Industry Data Security Standard (PCI DSS) took effect.

Backed by American Express, Discover, MasterCard, and Visa, the PCI standard groups companies processing credit card transactions into one of four levels, based on annual transactions processed: level 1 (over 6 million), level 2 (150,000 to 6 million), level 3 (20,000 to 150,000), and level 4 (all others). Service providers have their own levels from 1 to 4 as well.

Each PCI level mandates specific security requirements, ranging from on-site audits, to quarterly scans, to answering a questionnaire about such things as effective firewall use and whether sensitive information is restricted on a need-to-know basis. Not being compliant with PCI means companies can face fines or see their business ties severed.

With the PCI deadline in the past, are most companies in compliance? The short answer is, no. Reasons for the poor uptake to date range from scant marketing by PCI's backers and banks' inadequate educational efforts to the technical complexity of the standard.

According to Visa, 30 percent of covered companies were compliant as of the June 30 PCI deadline (with more applications in the pipeline), but others say differently. "I'd put a question mark next to that figure. I'd think it was down in the 10 percent region that were actually compliant by then," says Nigel Tranter, a partner and PCI-certified auditor in Payment Software Co., a small auditing firm based in San Jose, Calif., that works predominantly in the payment industry. "We're working with a number of small and large companies that are still struggling to be compliant, and one of the biggest reasons is because the standard is quite tough."

Another reason for slow PCI uptake may also be inadequate educational efforts by the PCI backers themselves. "The biggest hurdle we and our merchants had was just understanding what it was," notes Jen Heil, chief technology officer of San Jose-based MonsterCommerce Inc., which provides e-commerce services to more than 5,000 companies and is a PCI level 1 service provider. "Visa's been a little quiet; I wish they'd be a little louder about this, and about the 'why do I have to do it,' before everyone starts asking if you've done it. The more information we can provide to our merchants regarding what's going on in the industry and certifications that are out there, the better."

While PCI predominantly targets e-commerce, it also applies to any organization taking cards physically, though that side of things has also lagged. "The issue here is Visa relied on the banks in promoting and getting this done, and there are a large number of banks who, for whatever reason-why, I'm not going to speculate-haven't pushed PCI as hard as they could," says Tranter. "There are a large number of people I've spoken to out there who are surprised this PCI stuff even exists." Even after the PCI deadline, he says, he knows merchants who contacted banks, saying they were ready to comply, and their banks said, "What are you talking about?"

Some also question whether the PCI standard is thorough enough to be effective. For example, Brian Grayek, chief technology officer of Preventsys Inc. in Carlsbad, Calif., highlights how PCI only requires on-site audits at level 1 companies. All other compliance is self-reported. He sees that discrepancy as cause for concern. "There are only a handful of people who are at level 1," he notes. "Ninety percent-or more-of the merchants are going to be in [at least] level 2 and 3, and they only have to do a 75-question form and a scan every quarter."

Beyond effectiveness, governance is another concern. "The real challenge here will be in getting these requirements enforced," says Chris Farrow, director of the Configuresoft Center for Policy & Compliance. "As long as the PCI DSS relies heavily on self-auditing, many vendors will continue to drag their feet."

With the deadline now about half a year in the past, is mass PCI compliance imminent? Based on continuing inquiries from potential clients, "I still think we have a long way to go," says Tranter. "But that's just a gut feel on my part."

Tips for Passing PCI

For companies that must still adopt PCI, how tough is the standard? Tranter says he doesn't recall auditing any company that passed PCI the first time. "We've had companies that are ISO 9000 compliant, SAS70 compliant, and they still failed [PCI] the first time through."

Documentation is a frequent problem. "There are some documentation ideas in PCI that we call quite high-caliber, in that they require formal review, formal signoff, and a chain of command before something can take place, and that's very foreign to many organizations," says Tranter. For example, some IT departments historically just implemented firewall changes or reconfigured servers themselves, without having to get chain-of-command permission first. Under PCI, that has to change.

Many companies also struggle with PCI's key-management requirement. "A lot of people don't understand what that means," says Tranter. "We've encountered companies that have encrypted databases and very proudly showed us what they'd done. So we asked, 'Where's the key?' They said, 'It's in the database.'" Obviously, that's not effective key management. Tranter says PCI implies a company will use dedicated key-management technology.

The third most common problem is the failure to meet PCI requirement 6.5: "develop Web software and applications based on secure coding guidelines such as the Open Web Application Security Project (OWASP) guidelines." The requirement deals with "the testing and the software development of applications to protect them against application-level hacking," including SQL injections and cross-site scripting attacks, says Tranter. Yet "a lot of companies haven't gotten their heads around what that means."

Often, he says, an organization covered by PCI will have "good network setup, good application development processes, but then we don't see anything that's formally testing OWASP specifications."

Finally, Tranter recommends organizations not focus exclusively on technology when striving for ongoing PCI compliance. "There is one potential element of PCI which is kind of missed-the human dimension, which is how people interact and how the business operates, and how people help with the security of systems. That's not quantified with PCI, and that's what auditors have to go in and assess."

 

Mathew Schwartz is a contributing editor for the IT Compliance Institute.

Christopher Hord
21-Nov-2006

Credit card vendors have attempted to enforce security standards for all merchants that process credit or debit card transactions, with little success. However, new and tighter standards may prelude an increase of enforcement efforts throughout the PCI industry.

Credit card data security is one of the highest-profile topics in IT compliance right now, yet efforts to ensure and standardize compliance have been fraught with complexities and misinformation that make it hard for IT professionals to know what to prepare for when attempting to plan ahead for the update to the Payment Card Industry (PCI) Data Security Standards that are rolling out this summer. Recently in July, as part of an effort to tighten data security, Visa USA already reclassified Level 4 merchants-those that process fewer than 6 million credit card transactions a year-into the Level 2 security category. Level 2 merchants must submit to network vulnerability scans every three months and complete a self-assessment questionnaire with 75 items. Former Level 4 merchants will have until September 30, 2007, to demonstrate compliance. Non-compliance could carry stiff monetary penalties. However, many merchants even prefer to accept fines from the credit card companies that make up PCI (Visa, MasterCard, American Express, Discover and JCB) for their non-compliance, as a cheaper option than overhauling their IT practices. Credit card vendors, however, are taking a hard look at changing the playing field. According to some experts, it's not a moment too soon.

A recent example of confusion and concern over the new PCI standards came only weeks ago, when MasterCard International director of e-business Tom Maxwell addressed a security conference in San Francisco. Maxwell discussed the upcoming changes to the PCI Data Security Standard (DSS). He conceded that the current PCI standards, which require credit card data to be encrypted wherever it is stored, are so demanding that many customers are having trouble meeting the standard.

Originating in 2005, the PCI security standard aims to reduce the risk of an attack by mandating that vendors maintain firewall configurations, eliminate vendor-supplied defaults for security parameters, encrypt transmission of cardholder data, regularly update anti-virus software, restrict access to data, monitor all access to network resources, and more.

Other key component of PCI DSS call for companies handling credit card transactions to maintain a policy that addresses information security, performs frequent security audits and network monitoring, and forbids the use of default passwords. Retailers that don't comply may face penalties, including fines.

Data backs this up. Recently, Visa USA president and CEO Philip Coghlin admitted that only about 20 percent of the top 200 merchants were in compliance with PCI standards. Popular technology website, News.com quoted Maxwell as saying, "There will be more-acceptable compensating and mitigating controls."

Almost immediately after Maxwell's presentation, rumors began to fly that PCI encryption standards would be relaxed-an unlikely turn of events in an industry ever more security consciousness. Since, compliance with PCI DSS is required of any business that processes or transacts payments by credit card or debit card, any changes to the PCI standard would represent major changes in the way IT centers conduct many financial transactions.

Asked directly about this issue by ITCi, a Visa spokesman issued this terse statement, "There are no plans to make any of the PCI DSS requirements less robust. PCI DSS will continue to require all entities that store, process, or transmit cardholder data to render sensitive cardholder data unreadable anywhere it is stored, (including data on portable media, in logs, and data received from or stored by wireless networks). Any future enhancements to the standard are intended to foster broad compliance without compromising the underlying security requirements of the current standard." However, this raises a major challenge for PCI. If most vendors are not compliant now, and PCI standards are just growing tougher, why would merchandisers be any more likely to follow the new standards?

One reason, of course, is simple competitive advantage. As Joe Lindstrom, senior director of consulting, professional business services, with Symantec, points out, "There have been several high-level breaches of security recently. No company wants to be known as a company that doesn't comply with industry-wide data standards." However, there is more to the changes that may be coming to the industry. Another trend that may be developing is stiffer penalties for non-compliance, now combines with attractive incentives for compliance. Says, Lindstrom, "It's pretty obvious the credit card companies are going to have to make some changes to enforcement, to spur greater adoption of security standards." We may already be seeing the beginning of such a trend. Visa's Coghlin specifically says, "We're also investigating solutions like uniform data security standards or perhaps a combination of incentives and fine structures with Visa members that should help driver greater compliance from their merchants and processors." He adds, "In addition to hard costs associated with these [data security] breaches, there's the much more important concern that cardholder trust in the electronic payments systems will erode-with drastic impact on usage. I've committed that Visa will take a leadership role on this issue."

It remains to be seen if Visa is leading a united front on this issue. MasterCard has been quieter on the topic. Despite repeated requests for information, MasterCard representatives were unable to supply any comments for this article. Coghlin's is not the only voice that is pushing the industry to tighter security standards. In a recent report, analysts from Gartner state that the credit card vendors must take the lead in driving security practices to stay ahead of changing threats. After studying vulnerabilities in the current PCI DSS, they say, "the industry should be aggressive in driving improvements in the quality of software used to process electronic payments, and in the quality of systems integrators that implement, and/or maintain the software." Gartner's analysts suggest that testing against these PCI requirements, which is currently voluntary for software vendors, should be required for all payment applications, and more application vulnerability scanning requirements should be added to the quarterly vulnerability scanning requirements of the PCI DSS.

Bank Systems Online
04-Apr-2006

US-based banks will have to replace core legacy systems in the near term to meet demand for real-time or near-real-time transactions, a recent TowerGroup report has advised. Many banks rely on complex middleware infrastructures to extend the life of their legacy systems and fix any shortcomings, but at some point replacement is needed. Large banks tend to address IT systems upgrades on a line-of-business basis, but this costs more than a direct core system replacement, which takes an average of 3 to 5 years per institution at a cost of at least USD 100 million.

Banks that install new core infrastructure however improve their time to market and operational efficiency while reducing maintenance costs and delivering more advanced products. For those offering treasury and cash management services, premium service quality is the key differentiator in a tightening competitive field with narrowing margins, TowerGroup notes in a separate report. Operational processes and infrastructure should receive IT resources for monitoring to identify and resolve potential points of failure before corporate customers are negatively impacted.

Banks often do not offer value propositions for the building of customer loyalty, satisfaction and consolidation of banking relationships, but strategic IT investments can support product bundling, pricing and improved customer relationships. Institutions promoting service quality in treasury management can for instance use service level agreements and guarantees to define bank and client expectations from a partnership. Ultimately however, TowerGroup advises major US banks undertaking a core system replacement to use single-vendor solutions to contain costs and speed product implementation.

Yahoo! News
31-Mar-2006

End-to-end reconciliation technologies, which TowerGroup believes will constitute a market in excess of USD 310 million by 2009, are emerging as the investment industry's problem-solver. In the investment management space, financial institutions and vendors with most experience in reconciliation technology are extending solutions to manage exceptions instead of focusing only on matching, which is now a commodity function. Traditionally, cash and securities reconciliation resided deep in the back offices of investment management firms, but this is now changing.

Vendors of reconciliation solutions have been tweaking their products to provide integrated, next-generation solutions for a rapidly-maturing market. In this context the onus is on financial entities to implement reconciliation solutions and to integrate back- and middle-office processes that can limit a bank's ability to manage costs by minimizing exceptions. Although analysts have for some time seen enterprise reconciliation, or the consolidation of processes to one or several platforms, as a viable cost-cutting strategy, banks are only now realizing the potential of integration.

Unless next-generation exception management capabilities are leveraged, financial entities will miss opportunities to maximize the efficiency of their back-office processes. Enterprise-wide risk management solutions may for instance be delivered on a modular basis, with distinct modules for reconciliation, exception processing, business intelligence and risk management. Depending on the extent of a solution, analytics for insights, reporting and regulatory compliance controls may also be bundled within an integrated suite to deliver the fullest possible capabilities.

PR Newswire
29-Mar-2006

Healthcare costs in the US would fall if automated medical claims and payment processes were used industry-wide, a survey by The PNC Financial Services Group shows. Of the 150 executives surveyed, 90 per cent from hospitals and 86 per cent from insurance firms believe that efficient claims remittance processes would slow the rising cost of healthcare. If better billing and payment processes were used, half of hospital executives and 4 out of 10 insurance executives estimate that their organizations could save at least USD 1 million, and potentially up to USD 10 million.

Federal standards for healthcare payment and billing data would also help to reduce costs, with 90 per cent of hospital executives indicating that savings from automation would be reinvested in patient care. Defined standards would support the merging of healthcare remittance processing and financial services into a new sector known as Medical Banking, which will operate over EDI and EFT networks. Significantly, only half of insurance executives were aware that some financial institutions provide integrated payment remittance and processing services for health care claims.

Hospitals could benefit most from EDI and EFT networks, but current impediments to remittance automation include electronic claim forms that provide insufficient data compared to paper forms and inconsistent requirements from insurance firms. Eighty-four per cent of hospitals using EDI / EFT standards confirmed that their cashflow had improved, with 80 per cent gaining significant cost savings. Meantime, insurance executives see infrastructure costs, lack of financial incentives and difficulty in measuring return on investment, as their barriers to healthcare automation.

Multichannel Merchant
28-Feb-2006

The Payment Card Industry (PCI) security standard defines 12 items that businesses collecting customers' credit card and other data must adhere to, for maximum protection. A growing number of US states are also requiring businesses to encrypt sensitive consumer data, or to face strict penalties, which is pushing merchants into compliance. In short, merchants and businesses need an ongoing, robust data security program to reassure customers that both their information - and their identity - is protected against a potential information security incident.

Vulnerable touch-points on business information systems include the point of transaction (a POS terminal, a web site or a phone order), or when data is sent to a card processor for authorization, or to a head office from a store or a web site. Other weak spots include enterprise systems such as ERP, CRM or order processing, loss-prevention and fraud-detection applications and data that is routed to card processors for reconciliation. Implementing advanced encryption at each stage of data transfer, and securing communications with trading partners, is vital for business success.

Credit card and other consumer data should be encrypted on information systems at all times, and not stored in clear text, which allows hackers free rein in the event of a security breach. Likewise, all transactions and data transfers should be audited in a file that can be locked down to prevent its deliberate deletion if the data system is compromised. Access hierarchies limit data access to authorized individuals, with cashiers for instance accessing only the last four digits of a credit card number, while regular network security audits are required for full PCI compliance.