Into the Data Breach One More Time
And yet again, an American retailer and its customers go down the road of
data theft. In this case, the retailer is Advance Auto Parts and the most recent
hack affected 56,000 of its shoppers in eight states – Georgia, Indiana, Louisiana,
Mississippi, New York, Ohio, Tennessee and Virginia. Luckily, the customers
from the stores in question represent a small portion of the total shoppers
that frequent the chain’s 3,261 stores across the country.
The discovery of the breach, as with those at other retailers, has prompted
Advance to reassess its security measures. Others, at the same time, are once
again questioning if Payment Card Industry (PCI) compliance standards are either
fair or effective.
In a recent interview with RIS News, Dave Hogan, senior vice president
and chief information officer with the National Retail Federation (NRF), expressed
the view that more secure forms of payment such as “Chip & Pin” were available
and proven in reducing fraud. He suggested that card associations should “provide
(at no cost to the merchant) card readers that can accept these new types of
cards.”
Branden Williams, director of PCI practice for VeriSign Global Security Consulting,
took issue with Mr. Hogan’s position. Regarding “Chip & Pin,” Mr. Williams
told RIS News it “slows down the bad guys, but does not stop them. Besides,
there is an issue with Chip & Pin in the United States – acceptance! What good
is a reader if no one carries the card to use them? I seriously doubt that
the card associations would pay for the terminals. Even if they did, retailers
will likely have to do major alterations to their software to be able to handle
both types of transactions in parallel. How about we just spend a little bit
of time securing the data in flight?”
Mr. Hogan also took issue with the amount of data that merchants are required
to keep by banks. He called on financial institutions to “state that ‘Retailers
have the option to no longer store credit card data and they will not be penalized
for not keeping credit card data.’”
Discussion Questions: Are Dave Hogan’s criticism of the PCI system valid?
Should the industry be moving to an alternate transaction form such as “Chip & Pin” used
in Europe? Are banks requiring retailers to hold onto reams of data that are
unnecessary and costly to both the merchant and consumer?
- Advance Auto Parts Releases Information Regarding Network Intrusion Potentially
Impacting 14 Stores and up to 56,000 Customers – Advance Auto Parts, Inc./Business
Wire - New Security Breach Highlights Need for Innovative Strategies in Post-PCI
Era – RIS News - PCI May Never Stop Hackers: Time to Rethink Security – RIS News
- The NRF Goes Past Where the Sidewalk End – Branden Williams’ Security Convergence
Blog
To answer your question, yes, Hogan’s concerns are quite reasonable. Much of this, though, is a lot of agreement on the easy issues. There are few who truly argue with the following:
1) PCI is not perfect and retailers who are fully compliant are still fully vulnerable. Even PCI’s backers agree with this. PCI was never intended to be perfect security. PCI was never intended to be anything beyond a good starting point.
2) PCI has absolutely improved retail security today. Again, this is pretty much done unanimous. It’s not gone nearly far enough, but any movement forward is good.
3) Banks are, for the most part, much better choices than retailers to store sensitive payment data. Again, no one ultimately quarrels with this. The issue involves infrastructure, politics and business costs. To make this transition would require tons of agreement from people who are not motivated to make such agreements. So arguing that it’s better doesn’t help much if it can’t be done given the powers that be.
4) Chip and PIN is more secure than what much of the U.S. is doing. True. But Chip and PIN–as it’s deployed in the U.K.–also has many issues. Making the transition would be costly, would meet with substantial infrastructure resistance AND it would still retailers far more exposed than is desirable. For the same extreme effort and cost, we could probably come up with a more secure approach.
It’s also true that if all retailers strictly adhered to the common-sense rules (no default passwords, examine traffic logs routinely and seriously, strictly enforce procedures, etc.), we’d also be far better off.
This, however, doesn’t address the Hannaford scenario where–based on currently available information–we have a retailer that indeed appeared to abide by all of the rules and still got burned by some aggressive cyber thieves. That’s the more rare but far more frightening scenario.
The Government will keep refreshing our U.S. printed currency because people keep figuring out ways to counterfeit it. Banks keep coming up with new payment technology because people keep finding ways to hack it.
We can’t expect that chip & pin will solve everything, because it won’t. But, if it offers any improvement in security, why wouldn’t we move in that direction?
Drugs, prostitution and gambling will need to make room for another multi billion dollar industry. Identification theft is moving to the top of the heap of very profitable crime at an epidemic pace. The rapid growth of this industry is an eye opener.
This problem, when looked at as a whole, demonstrates a well planned effort on a global scale by one or more criminal organizations. The amounts of information being stolen from many different elements of society and the means by which the data is taken clearly suggests much more than a brainiac hacker is necessary for this scale of accomplishment.
A first step to create the means to stem this criminal effort would be to call it what it is, Data Mining Operations, not hacking. I am in full agreement with Mr. Branden Williams of VeriSign who, in his final remark for this story, recommended stronger data security efforts be put in place. This means spending money on the technology that exists to secure data and spending money to develop stronger technologies to further reduce risk. If the company can not afford to protect the identities of their customers they need to either outsource the effort to responsible corporations designed just for the effort or get out of IT Marketing. Corporations are putting themselves at serious risk of litigating directly against their customers and the insurance industry, both of which pay for these unnecessary thefts.
Retailers should do the work necessary to ensure their customer’s payment integrity. If they don’t they should be exposed as this one has and as Hannaford. Sure, there may always be breaches, however, I don’t see this effort falling as a high priority with retailers.
Penalties should be swift, stiff and sure to insist upon compliance. Consumers should be able to shop with confidence. Consumers should also be made aware by media and other methods when their confidence is broken.
It’s easy to say that other methods may be better. However, when minimum requirements haven’t been met, it’s always easier to distract with better choices. Do the work first, create a base of security, then work towards continuous improvement. Simply looking for better solutions without taking care of the matter at hand is no excuse.
As these instances become more and more prevalent, consumers will have yet another ‘reason’ to add to their own value quotient when choosing a retailer. Thinking that this is not a serious consideration by consumers, even more so as each day goes by, is at your own peril.
Do the work your consumers expect of you. It should be a very minimum expectation of your consumers that their integrity is protected.
Retailers (and others) have to stop complaining about PCI, and start investing in data security tools that will protect them against organized crime. Many CIOs report that they struggle to obtain security funding from top management, while making do with considerably less IT money than other industries enjoy. Retail CEOs are going to have to make a decision about whether they really want to be safe from Russian hacker gangs and others, or not.
This just in. Seems that the retailer here was not only not PCI compliant, but much of the stolen data was unencrypted and from 2001 through 2004, which shouldn’t have been retained at all. *sigh* [Click here]
PCI compliance is only a beginning. It was never sold as the one-stop total 100% perfect solution. Many retailers who haven’t been publicly hacked simply reach for the minimum security solution. After all, it’s part of their culture: they pay their folks the minimum, they pay their suppliers the minimum, they give their customers the minimum service they can get away with. So why should their security standards exceed the minimum?