Retail & Restaurant Data Security: Why You Should Care More
By Bernadette Wilson, associate editor, Business Solutions magazine
Arming your company with the standards of the Payment Card Industry (PCI) is a major step toward card data security. However, it might not be enough of a defense against cybercrime to protect other facets of your business. In his presentation at this year’s RSPA (Retail Solutions Providers Association) RetailNOW, Jim Maloney, CISO of Mercury, said it is important to identify and protect all vulnerable customer areas and to have the right weapons in place in case of an attack.
Know Your Enemy, Know The Consequences
Verizon’s 2013 Data Breach Investigations Report says 24 percent of all data breaches occurred in retail and restaurant environments. Threats include hacking, malware, and physical theft — or a combination attacks. The data breaches studied in the report share common aspects. Most were “opportunistic” and occurred where intrusion was “low difficulty.” Almost three-fourths targeted user devices, and about two-thirds took months or more to discover.
Maloney said a breach can result in a business sustaining an investigation, complying with notification laws, funding legal costs, launching a public relations campaign following the breach, paying card association fees, moving to an elevated PCI tier, remediating damages, losses, and an injured reputation — and possibly, declaring bankruptcy. Look no further than the story/video (http://www.youtube.com/watch?v=7W-k3R2N7Zk) the RSPA did on Carla Yarbrough, a restaurant owner who experienced a breach which cost her about $120,000 in fines and fixes. No matter what priority you place on PCI compliance, a breach could destroy your customers and your business if one should occur.
How PCI Helps You
The PCI Data Security Standard (PCI DSS) gives the framework for a payment card data security process. This framework addresses prevention, detection, and reaction to incidents. PCI’s Payment Application Data Security Standard (PA-DSS), is guidance for software vendors to develop secure payment applications. The PCI also maintains a list of Validated Payment Applications. The PCI also has PIN Transaction Security (PTS) requirements.
Recently the PCI published a preview of version 3.0 changes for PCI DSS and PA-DSS. The new versions will be published on November 7, 2013, and will become effective on January 1, 2014. Version 3.0 provides guidance on making PCI DSS a best practice. It also includes security policies and procedures with each requirement, new requirements for POS terminal security and penetration testing and validating segmentation, and expanded software development life cycle security requirements and threat modeling.
PCI Is Just The Beginning
Maloney said in addition to complying with PCI standards, retailers and restaurant managers should look at vulnerabilities that might exist in areas of their businesses beyond payment card data. He said, for example, hackers might not be able to access payment card data through a store’s website, however, they could change prices or the terms of loyalty programs that would cause “havoc” at the store. Physical security — not only for loss prevention, but also to protect devices and records that contain sensitive data — is another area to consider.
He suggests the following resources as you evaluate all areas in which you need to protect your business:
- Open Web Application Security Project (OWASP) Top 10 Risks: This list gives the 10 most common software vulnerabilities.
- SANS 20 critical security controls (CSC): A list of CSC controls that would stop most attacks.
- ISO 27000 Series Standards: These are the international standards for an information security system.
- The Graham-Leach-Bliley Act (GLBA): This law requires financial institutions to explain their information-sharing practices to customers and to safeguard data.
- National Institute of Standards and Technology (NIST) special publications: Publications are available on a variety of security-related topics.
Maloney calls for the industry to take the initiative to arm itself and fight data breaches and cybercrime. “If we don’t step up in terms of security as an industry, then more government intervention can be expected,” Maloney says. Of course, the most important consideration is protecting your customers. Not only will offering security services help protect them, it could become a nice offering from which to earn monthly recurring revenue.