Target on Your Back
High-profile data breaches put retailers in public crosshairs
By Angel Abcede
aabcede@cspnet.com
Years from now, when the topic of data security comes up, retailers may talk of the time before
Target, and the time after, as the ripple effect of 110 million compromised consumer credit-card
numbers flows outward.
Clearly, the breach at the Minneapolis-based mass merchant, and subsequently those of highprofile retailers Neiman Marcus, Nordstrom and Michael’s—and even the revelation from
several state’s attorneys offices that c-stores have fallen victim—ignited a media firestorm,
renewed public debate over identity theft and eventually led to Congressional hearings that
brought retailers, association leaders and financial executives to the Hill to testify.
“It’s definitely an eye opener,” says Maximo Ricardo Alvarez, vice president of Sunshine
Gasoline Distributors, Miami. “It shows that any retailer, no matter how big or small, can
experience that nightmare and be [compromised] in the blink of an eye.”
For Alvarez’s chain of more than 200 c-stores in South Florida, finding solid third-party
suppliers to help manage the payment process is critical. “[It’s about] good partnerships with
security and technology companies and being confident in their products,” he says. “They’re IT
professionals … who know a lot more than I do.”
While retailers have had to comply with mandated credit-card standards that went live for many
as of 2010, recent headline-grabbing breaches have dampened thoughts of invincibility and
rained down near-term repercussions, including:
/bul/ Fueling debate and support for different security measures, some of which require
significant investment on the part of retailers. This burden is on top of millions of dollars already
invested in mandated upgrades completed just a few years ago.
/bul/ Increasing public awareness and scrutiny of the decisions retailers make regarding data
security.
/bul/ Sparking Congressional hearings, which may lead to legislative regulation.
For c-store and petroleum retailers, the real concern is awareness—or lack thereof, according to
Nizam Uddin, director of security and compliance for MegaPath Corp., Pleasanton, Calif. One of
Alvarez’s vendor partners, MegaPath, secures and manages his data transmission network.
“Retailers handle their cash securely,” Uddin says. “They have cash drawers and know who’s
[authorized] to handle the safe. It’s all monitored, all accounted for, so they’re not short $10 or
$15 every day. But they don’t do that with credit-card machines or the environment around it.”
Having the tools in place and, even more important, the training to create a secure data
environment on a daily basis is the skill set more retailers need, Uddin says.
“You have to be vigilant,” Alvarez says. “[Incidents such as Target] make everyone more
conscious, more aware of that kind of threat and to take it seriously.”
Breach History
What exactly happened at Target has been the focus of much media scrutiny.
The chain itself is releasing few details, declaring the matter under investigation by the proper
authorities. On its website, it tells customers that in mid-December 2013, the company “learned
criminals forced their way into our system, gaining access to guest credit and debit card
information. As the investigation continued, it was determined that certain guest information was
also taken. The information included names, mailing addresses, email addresses or phone
numbers. We have partnered with a leading third-party forensics firm who is thoroughly
investigating the breach.”
Delving further into the subject, Brian Krebbs, a former /ital/Washington Post/ital/ reporter and
security blogger based in Merrifield, Va., has cited sources that point to a third-party heating,
ventilation and air conditioning (HVAC) company that had access to Target’s systems. Krebbs,
named by several news sources as the one who initially broke the Target story, said gaining
access allowed criminals to insert malware that eventually snuck into point-of-sale (POS)
registers at multiple stores in Target’s chain.
Whether Krebb’s report is accurate, the inference that data thieves are resourceful and
opportunistic is evident.
And Target may just be today’s poster child for data breaches, according to Gray Taylor,
executive director of the Petroleum Convenience Alliance for Technological Standards
(PCATS), Alexandria, Va. “There may be five or six Targets” before upcoming credit-card
mandates designed to update today’s payment processes actually force change, he says.
Breaches the size of Target’s are certainly not without precedent. In 2007, TJX Inc., parent of
department-store chains T.J. Maxx, Marshalls and Bob’s Stores, said hackers stole 45.6 million
credit-card numbers. The following year, hackers broke into computers that Heartland Payment
Systems used to process 100 million payment-card transactions per month for 175,000
merchants.
Last year, 7-Eleven Inc. was among more than a dozen companies hacked in what the U.S.
Department of Justice called the largest such scheme ever prosecuted in the United States. A
federal indictment made public last July in New Jersey charged five men with conspiring in a
worldwide hacking and data-breach scheme that targeted major corporate networks, including
that of the Dallas-based convenience chain, and stole more than 160 million credit-card numbers.
In another case, a Manhattan district attorney’s announcement spoke of indictments in databreach cases involving c-stores in the South and Southeast. At least two other publicly reported
incidents involving c-stores have arisen in the past year.
Lawmakers Step In
Recent months have seen a line of representatives from retail channels to associations to
financial institutions parade before U.S. House and Senate committees to discuss the matter.
This past March, the PCI Security Standards Council, which is a forum created by the major
credit-card companies to voice its standards, testified before the House Financial Services
subcommittee on “Financial Institutions and Consumer Credit” about its PCI (payment card
industry) standards.
Troy Leach, the Wakefield, Mass.-based organization’s chief technology officer, covered datasecurity best practices that “include a multilayered approach involving people, processes and
technology”; Europay MasterCard Visa (EMV) chip technology; and how data security can’t be
solved by a “single technology, standard, mandate or regulation.”
Still, EMV is the next set of mandated upgrades coming down the pike for retailers, which for
them means upgrades for plastic cards affixed with chip-and-PIN (personal identification
number) technology. Adopted widely in Europe and Canada, EMV adds another level of data
security to the transaction. For POS devices, the PCI deadline for upgrades is October 2015, and
for dispensers it’s October 2017.
But observers such as Taylor of PCATS, which is the technology adjunct of NACS, fear that if
existing mandates for EMV and many of the other suggested security measures all become
requirements, costs to the retail community will be prohibitive and “put the small merchant out
of business.”
The real answer, he says, is in continued discussion involving all stakeholders. “We’re working
hard not to get the short end of the stick,” he says. And while the Foster City, Calif.-based Visa
Inc. a few months ago seemed ready to relax pending EMV deadlines, the Target revelation
seems to have put pressure on them to keep the EMV momentum going. “Now it’s EMV now
and EMV forever,” Taylor says.
A retailer based in the Northeast, who spoke to /ital/CSP/ital/ magazine on condition of
anonymity, concurred, saying that technologies such as EMV will take years to implement at a
tremendous cost, all the while giving hackers time to adapt.
“It’s like trying to put a ladder to reach the top of a tree,” he says. “Every time you want to reach
the top, the tree grows and you need a new ladder.”
Ultimately, Taylor does see a “multilayered” solution being the answer, with the specifics all
about what all stakeholders can work together to agree upon, whether those steps require
technology, processes or training.
PIN-based Solutions?
One of the solutions called for by those speaking on the Hill is eliminating signature-based credit
cards altogether.
A representative from the Washington-based National Retail Federation in March told the Senate
Committee on Commerce, Science and Transportation that “it’s time for an overhaul of the
nation’s fraud-prone credit- and debit-card system,” saying banks’ insistence on cards that use a
signature instead of a PIN puts merchants and their customers at risk.
“Everything a fraudster needs is right there on the card,” said Mallory Duncan, senior vice
president and general counsel for NRF, in a release, talking about how the cardholder’s name
and account number are clearly printed on each card along with the expiration date and security
code. “The bottom line is that cards are poorly designed and fraud-prone products that the system
has allowed to continue to proliferate.”
The idea sits well with Taylor of PCATS. However, he says, “It’s in the best interest of the
credit-card companies not to do so. If you put a PIN on every card, Visa would lose 62% of its
transaction volume. If I were Visa, I wouldn’t want to see that happen.”
Visa representatives were not available to respond by press time.
In for a Penny
Essentially, these PCI mandates have included a set of 12 requirements and 221 subrequirements covering items such as data encryption, patching, system hardening, physical
security, auditing, logging and application security, according to the PCI council’s website.
For retailers, the investment has already surpassed the hundreds of millions in upgraded POS
devices and PIN pads, and retrofitted pumps or new dispensers altogether for many. The PCI
mandates came in waves for large and small retailers, but essentially 2010 brought the big
deadline; 2012 was a secondary, catchall timeframe drawn in the sand that covered POS devices.
Though dispensers are part of that compliance mandate, the credit cards appear to be in limbo
with regards to enforcing those upgrades, observers say.
What is up and coming for many retailers in 2014 is compliance to a new, 3.0 version of the PCI
standards, which place about 100 changes in rules and tracking tasks on retailers with regards to
people and processes, says Shekar Swamy, president and senior security strategist for Omega
ATC, a St. Louis-based data-management and risk-assessment firm.
One of the more difficult mandates for retailers will be “continuous compliance,” which Swamy
calls a big change, and one that differs from the 2.0 version. “For these merchants, quarterly
scanning and wireless intrusion checks are not adequate anymore,” he says.
Retailers have to upgrade from 2.0 compliance to 3.0 a full year after their last compliance check
in 2013. However, if retailers have not been compliant at all, they will need to abide by 3.0
standards immediately, because the January 2014 deadline has already passed, Swamy says.
He did clarify that his company, along with many other assessment and data-management
companies, follow a “prioritized” approach. So because 2.0 is easier to comply with, he
suggested that any firm not in compliance “start with 2.0 and then move to 3.0.”
Many of the new requirements tie back to people, Swamy says. For instance, every employee
who accesses the systems in the cardholder environment needs a login and password that
changes every 90 days. Retailers must document these changes. Another related aspect is with
terminated employees. New rules say that retailers have to make sure that terminated employees
no longer have access to data and that they document such actions.
But compliance to standards doesn’t necessarily equate to data security. As Uddin of MegaPath
points out, real protection goes beyond checklists and points to what employees do on a regular
basis.
For instance, employees should make sure a card machine is same one he or she used yesterday,
and not somehow swapped out. At gas stations, skimming devices or electronic attachments can
be affixed to card swipes or placed inside dispensers to then download card data as people pay
for gas.
Remote locations, which make up the network of many c-store chains, are especially vulnerable,
he says. Offices where store managers do back-office work, for instance, are often not secure,
nor are the devices in them. Many of these pieces of equipment can route sensitive information
or provide access to a chain’s internal systems.
“You’ll see that everyone’s corporate data center is very secure, but when you look at remote
locations, they’re not secure as their data center,” Uddin says. “But it’s just as important.”
#
[Sidebar]A Brief History of Breach and Compliance
While Target has essentially been the “target” of much of the publicity around recent data
breaches, such crimes have occurred on a large scale in the past, as has the effort to better secure
the transaction processes at retail locations. One of those efforts, called Europay MasterCard
Visa (EMV), will hit the channel in the next few years.
Here’s a brief history:
2004—MasterCard, Visa, American Express, Discover and JCB create and collaborate on
payment-card practices, effectively starting the PCI (payment card industry) Security Standards
Council.
2005—Initial standards take effect as monitored by the five council founders.
2007—TJX and its affiliated chains, T.J. Maxx, Marshalls and Bob’s Stores, discover a breach.
2008—Heartland Payment Systems uncovers a breach.
2010—Initial PCI deadlines force the replacement of “workhorse” registers commonplace in
convenience and petroleum retail, as well as PIN pads inside the store and in dispensers that
were not compliant.
2012—Full PCI compliance mandated for countertop POS; dispenser upgrades less of a focus for
enforcement.
2013—Target discovers hacking and the compromise of credit-card numbers.
2015—EMV deadlines for POS registers.
2017—EMV deadline for automated fuel dispensers.
Sources: PCI Security Standards Council, various news reports
#
[Pullquotes:]
“It’s like /bold/trying to put a ladder to reach the top/bold/ of a tree. Every time you want to
reach the top, /bold/the tree grows/bold/ and you need a new ladder.”
“Any retailer, no matter how big or small, can /bold/experience that nightmare and be
[compromised]/bold/ in the blink of an eye.”
#
[Illustration: I’m not too keen on it, but a MegaPath illustration of a payment transaction system
is in the May photo folder.]
##