News of TJX Companies Inc.'s internal system lapses blazed through the media this year. But risk assessors routinely spy dirty laundry that is never aired, usually because merchants clean it up pronto once it's found. For many, this averts the harm and humiliation of a data breach.
AmbironTrustWave, for example, encountered a golf pro shop client teaming with problems due to a lack of the most basic system safeguards. The assessor found 15,000 viruses in its system.
"Alarms were going off," said Nicholas J. Percoco, Vice President of SpiderLabs, a unit of AmbironTrustWave. He spoke during a Compliance Day seminar at the 2007 Electronic Transactions Association Annual Meeting & Expo in April.
There was also the brick-and-mortar merchant with thousands of locations but only one constant user ID for all employees accessing the system. And then there was the merchant who asked his POS system integrator all the right questions, such as whether the software vendor was listed as compliant with Visa U.S.A.'s Payment Application Best Practices (PABP).
The vendor's new software was compliant. But the integrator, which still owned licenses for older, precertified software, quietly installed a noncompliant version without the merchant's knowledge.
The list of retailer errors is predictable: They often fail to change vendor-supplied passwords on all software and equipment; they don't upgrade to new, higher security software applications and operating systems; and they neglect to add patches to existing systems. "You'd be surprised how many times firewalls are not there," Percoco said.
Retailers think of security as physical barriers to entry and shoplifting: surveillance cameras and bars that lower at night. "They can't see what's going on within their POS system," he said.
And sometimes POS security is physical. Assessors for the largest merchants do penetration tests: "We try to talk our way past the guards to a data center," and AmbironTrustWave is occasionally successful, even when those attempting the penetration offer no form of ID, Percoco added.
Merchants ask data security assessors how long they can or should retain data for forensic purposes. But the answer is not so simple. "It's always the data a company didn't know about that falls into the wrong hands," said A. Bryan Sartin, Vice President, Investigative Response for Cybertrust, a company specializing in global information security.
The key to preventing data loss is in understanding what sensitive data a merchant may be storing and where. "I would say 18 months to a year [of data] is fine," and even up to three years for the most crucial information "provided it is very well-secured," Sartin said.
That means never storing full track data and keeping necessary information encrypted behind firewalls and passwords. Sartin added a fail-safe solution: "If you're not storing [data], you're not going to have a compromise."
By March 31, 2007, 95% of Visa level 1 merchants had confirmed they were not storing track data; 35% were in full compliance with the Payment Card Industry (PCI) Data Security Standard; another 51% were in remediation, according to Eduardo Perez, Vice President of Payment System Risk & Compliance for Visa.
Bob Russo is the newly appointed General Manager for the PCI Security Standards Council, an independent industry standards body providing management of PCI on a global basis.
Russo noted that the seemingly low number of level 1 merchants in compliance is not representative of the work that nearly all such retailers have done. The actual statistic for both levels 1 and 2 merchants on the road to compliance is 90%, he said.
"Tell your readers about ... the awareness and the adoption of [PCI]," he said in an interview with The Green Sheet. "We've got companies that have budgeted in the tens of millions of dollars and put together plans to become compliant over a two to three year period.
"And while they may not meet the letter of the law right now, they're maybe 95% there. Often, a retailer will have just one change to make to a legacy system, but the programming requirements to accomplish it are enormous."
Perez said the high level of compliance activity by level 1 merchants "demonstrates buy-in." At level 2, 93% have confirmed they do not store track data, 26% are in compliance and 22% are in remediation. At level 3 (e-commerce merchants, for whom track data does not apply), 51% are compliant, and 16% are in remediation.
At level 4, which represents 32% of all Visa transactions, track data storage has yet to be determined, and PCI compliance is low, Perez said. He added that 87% of processors are compliant, with the remaining 13% in remediation.
Actions that processors, ISOs and merchant level salespeople can take to bring merchants into PCI compliance include asking what payment application is currently in use to determine if it stores track data; certifying only PABP applications; and walking clients through all applicable PCI requirements.
To make it easier to know whether a payment application stores track data, Visa published a list of products that have been involved, directly or indirectly, in card data compromises (See "Visa identifies apps storing sensitive data" in this issue of The Green Sheet).
In addition, MasterCard Worldwide is "looking forward" to Visa's PABP becoming part of PCI for applications, said John Verdeschi, MasterCard's Vice President for Advanced Payments.
And in February, the PCI Council board of executives voted to bring the PCI PIN entry device standard under the council's auspices, said Council Chair Seana Pitt. "This is a great step forward."
MasterCard has received questions about using PCI more broadly across industries, but "we wouldn't want it to be subsumed by others and out of our control," Verdeschi said.
Russo also has reservations about allowing government or other industries to adopt PCI. The standard is still "too young" for the council to lose control of it. "We need to make sure that we steer it where it needs to go, so that it's well-entrenched," he said.
The council met recently in Washington, D.C., with representatives of various industries that have expressed an interest in adopting PCI. "We told them we're not ready" to open the standard to outsiders, Russo said.
Legislators are interested in PCI because "they see that the standard ... is gathering momentum, but I don't want them in the middle of it at this point," Russo added. "I think they're seeing that this is one of the best, if not the best, standard out there. They see that the PCI DSS is more prescriptive than other standards."
The PCI Council will hold a meeting in Toronto Sept. 17 to 19, 2007. It will give participating payments industry professionals, approved qualified security assessors and approved scanning vendors a chance to meet with council executives and committee members and to hear representatives from throughout the payments chain share their perspectives.
The council has also begun soliciting feedback from stakeholders about PCI's current version as a step toward updating the standard. It will present an overview of findings to date at the September meeting.
Additionally, the PCI Council has initiated an election process for a board of advisers. The board will represent nearly 200 participating organizations and provide technical and strategic guidance.
The council will publish answers to frequently asked questions: It has received about 500 questions on PCI implementation thus far. Also on the council's agenda will be merchant training sometime later this year. It will include both webinars and half-day meetings for retailers.
