Bite the Bullet | NACS Online – Magazine – Past Issues – 2009 – April 2009
Sign In Help

The Association for Convenience & Fuel Retailing

Skip Navigation LinksNACS Online / Magazine / Past Issues / 2009 / April 2009 / Bite the Bullet

Bite the Bullet

By Jerry Soverinsky

I suspect the only thing more maddening than watching kindergartners play soccer is being a kindergartner playing soccer.

I attended my nephew’s soccer game last month, and his team had fallen mercilessly behind (though the teams didn’t officially keep score). During a kicked-shin timeout, my nephew skipped over to his mother, pleading with her to end the humiliation.

"Can we please go home!" he begged.

"Honey, there’s still a lot of time left," she replied, feigning optimism. "You’re doing great."

"What’s the point!" he shot back. "We’re still gonna lose!"

"You’re doing great," replied my sister-in-law unconvincingly, gently leading my nephew back to the game. "You’re doing great."

I thought of my nephew’s soccer game as I considered the recent Heartland data breach.

Credit card processor Heartland Payment Systems announced in mid-January that hackers had breached its computer systems in 2008, accessing an untold number of credit card accounts. The company handles an average 100 million transactions each month for 175,000 small- and medium-sized businesses, and investigators are speculating that the size and scope of the compromise could be one of the largest and most severe ever reported (for more on the data breach, visit www.2008breach.com).

To date, separate class action suits have been filed on behalf of consumers and financial institutions.

All of this spells a protracted legal and financial mess for Heartland, as well as untold headaches and expenses for thousands (and perhaps millions) of consumers and businesses. You might question whether Heartland had taken the appropriate data security protec­tive measures — but here’s the kicker: At the time of the data breach, Heart­land was PCI compliant.

As a credit card processor, Heartland was subject to some of the most stringent data security standards, and during its most recent audit in April 2008 — and as reported by Visa — it had "successfully completed an assessment based on the PCI Data Security Standard (PCI DSS)" by Trustwave, a Qualified Security As­sessor (QSA) that has helped 30,000 or­ganizations manage their compliance and security protocols.

On paper, Heartland seems to have done everything by the book. And yet a data breach — a massive, unprecedent­ed breach — compromised its system.

As a retailer, you’ve been hearing for several years now the importance of be­coming PCI compliant and the poten­tial consequences if you don’t. But in light of Heartland’s data breach, the ob­vious question is why should you be­come PCI compliant if the approved standards, as attained by Heartland, still subject systems to security vulner­abilities and legal trouble?

"It would be really easy to get dis­couraged," conceded Gray Taylor, for­mer NACS vice president of technology and research and now a NACS consul­tant. "Heartland is one of the most secure processors, and they’ve taken [security] seriously from day one."

It’s not an isolated accolade, but one shared generally by industry insiders.

Like my nephew heading back into the soccer game with the outcome all-but-certain, is the endeavor of be­coming PCI compliant an exercise in futility, too, one doomed to defeat? Is there anything you can do, PCI or not, to protect your customers and business?

The answer to these questions, NACS maintains, is that the fight for data security is relevant; you’re still very much in the game and there are steps you can take to control the out­come.

Standards Recap
Unless you’ve been living in a retailing spider hole for the past few years, you’re no doubt aware of PCI standards: the 12-steps of compliance, retailer classifi­cation levels and the penalties if you are either in non-compliance or subject to a data breach.

In a nutshell, the Payment Card In­dustry (PCI) Security Standards Coun­cil, comprised of the five major credit card companies, established (and con­tinues to revise) Data Security Stan­dards (DSS), which are designed to protect personal data from your con­sumers’ credit cards. The measures that merchants must take to secure that data are a reflection of your retail­er classification level, as determined by your sales volume.

Performance of regular audits helps ensure that you’re compliant with the DSS, and if you’re not, depending on your retailer classification level, you’re subject to heavy fines ($25,000 per month for Level 1 and Level 2 mer­chants) and the revocation of your right to accept credit cards, among other card brand-imposed penalties — and this is regardless of whether a data breach actually occurs.

If you incur a data breach and you are found to be non-compliant, the results can be disastrous for your business — not to mention the harm your customers could suffer. Not only do you risk card brand-imposed penalties (Level 1 and Level 2 merchants can be fined $500,000), you’ll likely face high costs associated with the following: notifying all suspected cardholders that their information might be compromised, defending yourself against inevitable lawsuits and controlling the PR damage from publicly announcing the data breach — all of which could threaten your company’s survival.

"Because I Said So!"
This all comes back to the Heartland case and the pursuit of data security: If becoming compliant doesn’t guarantee security and eliminate data breach-related threats to your operations, why the emphasis on PCI standards and compliance?

Here’s the blunt answer, and you probably won’t like it: The credit card companies require it.

"Forget about 'standards,’" said Mi­chael Davis, NACS vice president of member services. "These are mandates, another form of interchange, driven by the five major card payment brands to relieve themselves of any risk, passing it down to the retailer under the auspices of protecting consumer data and the re­tailer is in the middle here."

Davis said that the PCI Security Standards Council, which is fully staffed solely by the card brands, pushes through the PCI compliance standards without having to answer to anyone, including those who are re­sponsible for enforcing and imple­menting the standards.

"There is not one retailer, not one processor, not one issuing bank, not one auditor, not one technology company sitting on the council," said Davis.

While the PCI Security Standards Council has developed a Board of Ad­visors that "provides input to the orga­nization and feedback on the evolution of the PCI DSS," according to the Council, in reality, the board has very little influence.

"The plain truth is that the Board of Advisors review 'standards’ a month before issuing and can 'comment’ but have no input on the standards them­selves," explained Davis. "In essence, the card brands run the Council, the card brands man the committees that develop the standards, and the card brands are the ones that interpret and enforce the standards."

Leaning On the Council
So while the process might be unfair, as long as you accept credit cards, there is not much you can do about the stan­dards and compliance penalties. How­ever, lest you feel completely helpless, understand that NACS has been and continues to be an outspoken critic of the process, and is committed to help­ing bring about change.

"NACS has joined the PCI Security Standards Council as a Participating Organization," said Davis, "and is lob­bying for a Board of Advisors seat. Over 40 NACS members are already Participating Organizations and we are looking to use our size to apply greater pressure through the Council. We have engaged PCATS [Petroleum and Convenience Alliance for Tech­nology Standards] to assist in any fu­ture standards of development."

One standard that NACS would like to see implemented is the requirement of PIN-based technology for card trans­actions — not just ones that are debit-based.

"Putting a four-digit PIN on every card transaction might have made the Heartland breach meaningless," said Taylor, who said that the Council’s re­sistance to PIN-based transactions is a financial one.

"It boils down to transaction pric­ing," said Taylor, referring to the cost differential between credit and debit transactions. However, that may change, as the costs of PIN-based trans­actions rise. "As soon as [PIN-based transactions] become as expensive as credit card transactions, you’ll see the adoption of PIN-based cards," predict­ed Taylor. "The trend is clearly there."

However, this added level of security would not come without cost to retailers. "Requiring a PIN for all debit and credit transactions would undoubtedly improve the security of card transactions significantly," said Jim Huguelet from The Huguelet Group LLC, a strategic IT consulting firm. "However, the amount of money and effort involved to make a fundamental change in the way consumers use credit cards across both brick-and-mortar as well as online merchants would be staggering."

In the meantime, NACS continues to advocate on behalf of retailers, continu­ally pushing for change, at the very least in terms of the decision-making process.

"We have a shared interest and re­sponsibility in customer [data security], but we don’t have a shared involvement in how we do it," said Taylor. "We repre­sent the industry to say that there might be a better way to do it, and we’re trying to build those security walls to make [breaches] more difficult."

The Eight-Step Program
While the overall focus for NACS is on data security, that doesn’t rest solely with PCI compliance.

"We’re missing a broader point," said Lisa Stewart, president of Impact 21 Group LLC, and a NACStech workshop moderator. "We have found over and over again that retailers do not have an appropriate level of IT infrastructure to protect their own data and systems. My biggest concern is that they have to start down the [data protection] path...that we’re at significant risk even with­out PCI [compliance]."

Toward that end, NACS, in partner­ship with PCATS, W. Capra, and Coalfire Systems, has developed an eight-step plan designed to help retail­ers achieve data security. While some of the steps might be financially impracti­cal for small retailers, they represent a best practices approach for ensuring maximum protection.

Step 1: Learn About PCI DSS, PCI PED and PCI PA-DSS
As you’ve already recognized, PCI com­pliance is replete with acronyms. In ad­dition to DSS (see discussion above), there’s PCI PED — that addresses secu­rity measures for maintaining pin entry devices; and there’s PCI PA-DSS — that concerns payment application systems (POS systems and payment terminals, among other items). Not surprisingly, each comes commensurate with specif­ic PCI standards (mandates) that gov­ern retailer operations.

July 1, 2010, is a crucial deadline for all pin entry devices, after which they must utilize triple DES encryption (a sophisticated scrambling providing the highest levels of data security). NACS recommends that you engage your dispenser manufacturer to con­firm that you will be in compliance and to ascertain the steps you might need to take — either upgrade or replace your dispensers — to get on track now.

Step 2: Contact Your Bank Processor or Provider
While self-assessment familiarizes you with your systems, rely on your processor to help you wade through the details.

Ask for an explanation of your mer­chant level and how PCI affects your business, as well as the steps you need to take to achieve compliance. Repeat the process if you have multiple proces­sors, asking them to verify their PCI compliance. At every step, document your conversations.

This step can be more complicated than it seems, and it may also require le­gal assistance to determine your re­sponsibilities. We’re an industry with an inherently complex system, one in­volving jobbers, dealers and owners. As such, the lines of liability are often dif­ficult to ascertain.

"If you’re branded, look at your job­ber contract," said Davis. "If you’re unbranded, look at your processor contract. There’s a big difference — you need to check your contracts and get things in writing."

Not knowing that you were respon­sible is never a solid defense to liability.

Step 3: Scrutinize Your Systems
Working with the details you uncovered during step two, conduct a thorough inventory of your payment systems, including PIN pads (inside and outside), POS and networks.

"Perform a visual inspection of ev­ery pin entry device, including their serial numbers," instructed Davis. "Skimmers are the biggest security risk we face." In fact, this part of the process cannot be overemphasized.

"Magnetic-stripe skimmers repre­sent a significant threat to petroleum retailers," said Huguelet. "There have been numerous cases where a group of sophisticated criminals have engi­neered an overlay card reader that is tailored to the design of a particular dispenser or outside payment terminal model. They have then attached these skimmers to capture the card informa­tion of consumers using their payment cards for a legitimate transaction. This information is stored within the skim­mer and then retrieved at a later date by the criminals."

For some, it’s a game of cat-and-mouse that requires constant evalua­tion and proactive efforts.

"The crooks are definitely getting smarter and will go after processors, dispensers and points inside stores," said Pat Raycroft, founding partner at W. Capra, a retail technology consult­ing firm. "That means we need to keep operating smarter and stay in front of potential threats."

With innovation in mind, Huguelet cited companies such as Gilbarco as having developed a secure card reader, Secure FlexPay, that thwarts skim­ming attacks. But for now, they’re op­tional.

"These secure card readers are not currently required by any PCI rule or card brand mandate," said Huguelet. "However, with the forthcoming an­nouncement of the new PCI Unat­tended Payment Terminal (UPT) specifications, there will then be re­quirements that outline necessary protections for the card reader itself. [Because of that, before] retailers in­vest in any data security-related re­mediation for their dispensers, they should engage in a detailed dialog with their dispenser and OPT manu­facturers so they can fully under­stand how their products will (or won’t) meet the upcoming PCI UPT requirements."

A PCI UPT standard has been dis­cussed for two years but has not yet been released by the card brands.

Step 4: Contact Your System Vendors
Obtain written verification from your vendors that your entire system is PCI compliant (depending on the compo­nent, PCI DSS, PCI PED or PCI PA-DSS will apply).

For those items that are not compli­ant, obtain written instructions as to what steps you must take to attain com­pliance.

Step 5: Self-Assess
The PCI Security Standards Council Web site — www.pcisecuritystandards.org — provides a self-assessment form that you can use to analyze your system. In addition, NACS has partnered with TurboPCI to offer its TurboPCI Easy Workbook (see page 16 for more infor­mation).

Step 6: Remedy Security Gaps ASAP
After completing the self-assessment in Step 5, consult an experienced PCI ex­pert to help you plug any security gaps in your system.

Step 7: Obtain an External Audit and Security Scan
Hire a QSA to perform an audit and se­curity scan of your system. They will ensure that the most up-to-date proce­dures (and those required by the card brands) are in place.

Step 8: Fix Any Remaining Items
Fix any remaining vulnerabilities and plan for continual adherence to the se­curity standards — data security re­quires your ongoing attention.

"PCI is a circle, you can’t do it one time," suggested Stewart. "Building a secure infrastructure is ongoing, the assessments are ongoing and are re­quired to secure your data." She ex­plained that the standards (mandates) are constantly evolving to reflect new technologies and practices.

"We have to be careful because it’s changing so fast and the liability is on us at every level," said Stewart. "The self-assessment has already changed multiple times. Somebody at your com­pany has to be responsible for keeping up, or you should outsource the job. [Al­ways] protect your data."

Back to the Game
In the meantime, details of the Heart­land breach will continue to unfold, and news of legal settlements and verdicts will cast public scrutiny on practices that involve your operations.

While things might look daunting — as they undoubtedly do in the soccer world for my nephew and his team­mates — you can gain experience and develop skills that will enable you to ex­pect — and not just hope for — victory.

Everyone’s rooting for you.

Jerry Soverinsky is a Chicago-based freelance writer and a NACS Magazine contributing writer.