Prioritizing Data Security

By Josh Lennox
Senior retail managers who have relegated PCI compliance responsibility to lower levels of the organization may be missing a critical opportunity to protect and even grow the business. Evidence is ample that even after a months-long audit, attaining PCI-DSS compliance certification does not guarantee that the enterprise was completely compliant at that moment.

Retailers must adopt the mindset that data security is a critical and constantly moving target, and devote sufficient resources to developing a comprehensive framework to continually assess and address risk. A well-thought-out, comprehensive security plan can not only protect the enterprise from risk, but also reduces costs by abandoning a patchwork approach and enables innovation by providing a secure environment in which to develop new initiatives.

Retailers that think PCI compliance equals full data protection need to think again. The intent behind PCI DSS is to protect highly sensitive cardholder data, specifically in the transaction process. That's a good start. But when we read stories about PCI certified retailers suffering massive data breaches, it's clear that PCI DSS is not a roadmap to true security. Instead, compliance with PCI must be regarded as one often revisited milestone on the journey to a comprehensive, evolving approach to securing all of a retailer's sensitive data and networks.

Integration of previously separate applications also is creating more pathways for data, both within retail organizations as well as through linkages with suppliers, distributors, service providers, financial partners and other third parties. IT trends including virtualization and cloud computing further deepen the complexity.

Unfortunately, many retailers have devoted disproportionate resources to PCI to the detriment of other security priorities, or assembled an array of point solutions that leave dangerous gaps in coverage.

According to a recent survey from Imperva and the Ponemon Institute, 71% of companies surveyed admit to not making data security a top strategic initiative, and 55% say they are only securing credit card information and not sensitive information such as Social Security numbers, driver's license numbers, and bank account details. A particularly troubling finding is that 60% of respondents don't think they have sufficient resources to comply with PCI and bring about a necessary level of cardholder security.

There are hopeful signs, however. According to AMR Research's Get Thyself PCI Compliant: The Latest Approaches and Recommendations, March 2009, "organizations are combining PCI compliance and management efforts into their overall corporate governance, risk management and compliance (GRC) organizations."

PCI compliance remains essential, but here are some things to consider in formulating a response that also accommodates the greater goal of comprehensive security:

• The PCI standard is not a one-time target. Retailers' IT environments are constantly changing, so a retailer can fall out of compliance even in the midst of an audit. At the same time, PCI requirements continue to evolve.

• PCI Compliance is not a rock-solid liability shield. Hannaford Bros. is among retailers whose credit card data was breached while the company was deemed PCI compliant. Compliant retailers' protection from civil suits is also now under serious threat; the viability of consumers' suing for the time and effort required to reclaim their identity in the Hannaford case is being heard by the Maine Supreme Court. Even if that effort fails, future protection from consumer suits is not guaranteed.

Retailers must remain vigilant about evolving PCI needs and consider compliance solutions in the context of their comprehensive security plans. Among the recent changes:

• New wireless standards: In July 2009, the PCI Security Standards Council published guidelines delineating how wireless security applies to PCI DSS 1.2 compliance. The guidelines recommend the use of Wireless Intrusion Prevention System (WIPS) to automate wireless scanning for large organizations. According to wireless network vendors, a comprehensive approach to wireless security includes a pre-audit assessment, perimeter firewalls, comprehensive and up-to-date security support, a seamless portfolio of PCI-capable data capture products, policy compliance, 24/7 monitoring, and use of a WIPS tool, which can help retailers prove compliance at any given moment via reporting and forensics.

• PIN Fines Delayed: Visa agreed to back off imposition of fines related to its PIN pad compliance deadline originally set for July 1, 2010, to the new date of Aug. 1, 2012.

• New compliance strategies: Newer technologies retailers are applying to their PCI and other security efforts include Tokenization, substituting a token or reference number for a credit card number or other sensitive data to eliminate on-site storage of that data; Application Whitelisting, deciding which applications and devices are approved to run in their retail environment while blocking any unauthorized software or storage devices to eliminate risks from unwanted software; and Virtual Terminal Systems to eliminate local storage of card data, touted in a recent report from PricewaterhouseCooper for the PCI SSC.

PCI is overly complex and has done little to stop payment card data thefts and fraud. Nevertheless, addressing evolving PCI requirements is a critical part of a retailers' security strategy. PCI not only forms a foundation on which a broader plan can be built, but it becomes the first line of defense against increasingly sophisticated hackers.

The bottom line is this: PCI DSS has proven itself unsuited to the task of ensuring complete data protection. To prepare for a secure 2010 and beyond, retailers must engage in industry best practices and prioritize data security not only to attain compliance, but to minimize risk across the enterprise.

Retailers must understand their unique security needs and develop a comprehensive framework for addressing today's vulnerabilities as well as setting up mechanisms to evolve security protections as new threats evolve.