Retail chain Harvey Nichols has spoken out about the importance of complying with new PCI DSS regulations in a session at the Infosec 2010 conference.
Matthew Suddock, who manages infrastructure for the firm, said that the number of mainstream scandals relating to insecure payment card information was increasing at an unacceptable rate, citing the recent scandal involving retailer TJX as a prime example of the damage that can be done.
Mr Suddock said that TJX had lost over £73 million as a result of a serious data security breach, during which customer payment card details were stolen. Mr Suddock pointed out that there was no firm large enough to take this kind of financial hit and not feel the effects in the longer term.
It has taken two and a half years for Harvey Nichols to alter its payment card systems in order to ensure full compliance with PCI DSS and Mr Suddock said that it now has several different safeguards in place to ensure that it does not suffer a similarly damaging data loss disaster.
Harvey Nichols no longer stores as many personal details relating to its customers, and the data which it does retain is not held for an unnecessarily long period, according to Mr Suddock. This is just one of the significant changes in practice that has been driven by PCI DSS adherence.
Card details are never stored in whole on any system, and information is separated into non-transferable systems, so that data recorded at a till cannot subsequently be passed onto a wireless network, or any other portion of the internal systems, minimising the risk of it being stolen during transit.
Tills themselves are now subject to continuous patching and update, with firewalls and antivirus software keeping them free from infection, whilst each area of the system is managed independently to avoid any chance of it becoming compromised.
Mr Suddock said that the major barrier to these changes had been the habits formed by staff over years in which insufficient safety measures were in place and that upgrading the systems was far easier than changing policy and practice.
A survey has found that the majority of people who have lost money as the result of credit card fraud or identity theft blame the retailers and businesses that handle their details for the loss.
1000 London commuters were interviewed in an Infosecurity study, which found that 44 per cent of them had experienced some kind of monetary theft as a result of payment card data and personal information being lost or illicitly obtained by criminals.
On average, consumers who are hit by fraud will lose £1448 each, with more than 37 per cent of those affected unable to secure reimbursement from their banks. This rises still higher for amounts under £100, which are clearly seen by many financial institutions as insignificant.
The survey showed that the blame was rarely placed on banks, with 60 per cent of respondents believing retail firms to be responsible for their loss. A fifth said that direct transactions performed in shops were the means by which their payment card details were stolen, suggesting that PCI DSS regulations are not being followed within many businesses.
Consumers admitted that individual carelessness was a significant cause for many cases of fraud, with 28 per cent blaming themselves. This correlates with the 27 per cent who said that phishing sites had tricked them into giving away sensitive information.
Illegally altered cash machines, online banking attacks and phone con schemes accounted for 15 per cent of fraud cases, and 42 per cent of the theft was incurred when the victims were abroad.
Banks were largely willing to reimburse people who had lost amounts over £5000 as a result of data loss and payment card fraud, with 91 per cent of those in this category getting back all of their money.
The impact of this type of fraud is felt by victims on an ongoing basis, with credit ratings taking a hit as soon as fraud has occurred. It is also habit-altering, as 37 per cent said they no longer used their bank’s online services for fear of further incidents.
Businesses that currently operate older WEP security on their wireless networks are required to upgrade to WPA in order to comply with new Payment Card Industry Data Security Standards (PCI DSS) which come into force at the end of June.
Wired Equivalent Privacy (WEP) has been around for years and its relatively low level of security is easily exploited by hackers, as experts say that it takes seconds for malicious parties to crack WEP-protected networks and then steal personal data.
Business are required under the new PCI DSS rules to ensure that data which is transferable and accessible wirelessly is properly encrypted and requires thorough authentication before it is made available.
It is explicitly stated that the use of WEP is no longer acceptable and before the deadline of June 30th businesses will need to decommission any WEP protection and replace it with a more secure alternative.
Experts believe that the move away from WEP is a good thing and that WPA can benefit businesses of all kinds, even if PCI DSS does not actually apply to their operations. In an article for Search Security, Mike Chapple said that businesses that currently rely on WEP are doing nothing but presenting a facade of security that is easily breached by someone with only modest hacking skills.
Mr Chapple says that the barriers blocking the switch from WEP to WPA have been virtually eliminated, as hardware is generally compatible with both standards because manufacturers have had six years to adapt products.
Experts warn against complacency in these matters, as even businesses that believe they are properly protected often find that WEP is still being used in certain areas despite the existence of compatible hardware. For others, the time for an upgrade has come in order to avoid falling foul of the PCI DSS.
There is a distinct possibility that some businesses will be inadvertently running WEP, or have a so-called rogue WEP network active, forming a weak link in the chain of data protection.
A survey has found that a notable percentage of UK-based businesses are not ready to meet the new PCI DSS regulations, putting many organisations in a position where they may breach new rules which will be gradually applied from June 2010.
A total of 100 firms from various sectors, including retail and finance, were questioned as part of the survey and only 11 were found to be certifiable under PCI DSS regulations.
PCI DSS rules were first proposed in 2004 and the newest changes will require universal compliance by September this year. The biggest players in the industry, including Visa and MasterCard, are all in support of these standards which are intended to cut down on fraud.
Redshift Research published the results of the survey, which was carried out in order to assess the typical attitude towards PCI DSS changes within UK businesses.
An 89 per cent level of non-compliance was indicated by the survey and it was also revealed that over a third of the businesses questioned did not comprehend the necessity of PCI DSS certification.
Many of the businesses that are still unable to meet the PCI DSS are uncertain as to whether they will be able to make the necessary changes before the September deadline.
Redshift Research’s Guy Washer said that his firm approaches many businesses in the course of a typical survey and around 40 per cent of potential respondents turned down the chance to participate, which is nearly twice as many refusals as normal.
Mr Washer believes that many firms were uneasy about participating because they were already aware that their current payment card practices were inadequate in the face of impending industry security improvements.
Under PCI DSS rules, four tiers of responsibility differentiate between the firms processing the largest and smallest number of card transactions annually.
It is believed that whilst larger firms are fully aware of their responsibilities relating to payment card security, small and medium sized businesses which deal with fewer transactions each year are failing to grasp the changes required under new regulations.
A new study has analysed trends in compliance with the Payment Card Industry Data Security Standards (PCI DSS) and has found that encryption at both ends of any transaction is the best way for vendors and consumers to remain protected.
Research by the Ponemon institute has found that although general audits find very small numbers of businesses to be in breach of PCI DSS rules, up to 41 per cent are relying on stopgap measures to get through audits, leaving themselves vulnerable when not under scrutiny.
A spokesperson for the Ponemon institute spoke about the findings of the report, saying that industry experts acknowledged that the diversity of technology and the rigour of the PCI DSS made it difficult for some businesses to comply. In some cases businesses are actually putting their customers’ data at risk because they are too focused on compliance and consequently ignore the more obvious flaws.
The report shows that most believe that businesses have trouble restricting access to customer data when it is necessary to share certain elements within an organisation or amongst multiple parties.
The total protection of payment card information from the end user to the receiving firm and back is always a hot topic and the report found that 60 per cent of experts are convinced that encryption of the data at both ends is the best way in which to ensure the necessary security to meet regulations.
Encryption brings its own problems with it and the most pressing issue here is how to manage and to safeguard the keys which allow businesses access to the payment card information of their customers.
Businesses are being urged to work hard at adhering to the PCI DSS without becoming blinded to data security issues in the wider context. With greater protection for customers, businesses are protecting their own reputations and futures and compliance should go some way towards cutting costs.
Those businesses that pay for independent audits to ensure compliance can spend up to £334,000 each year, although the average is a more manageable £170,000 for the very largest organisations.
After an SME representative spoke out early last week against the enforcement of PCI DSS regulatory measures, saying that they would damage small businesses, security experts have come out to defend the data security standards, although the issue is clearly complex.
Data security expert Jan Fry explained in an interview with SC Magazine that there was growing animosity between credit card companies and smaller businesses, but also said that this mistrust of the security standards came from a lack of comprehension of the terms and implications of the PCI DSS.
Mr Fry said that it was acknowledged by those within the industry that the current standards were not universal in their appropriateness, but that fighting against security standards that are ultimately put in place to protect the consumer could be more damaging to businesses than complying with regulations.
In fact experts were keen to explore the PCI DSS in a way that showed off its flexibility and scalability, with Mr Fry saying that most businesses accept the necessity for adherence because in most cases the benefits outweigh the pitfalls. He also said that there was no reason for small businesses to fear that they would be ‘exterminated’ as a result of non-compliance and derided the partisan attitude taken by a number of PCI DSS’ detractors.
It is accepted that most small businesses are looking to take on the PCI DSS with as little financial impact as possible and in a recent study by Ponemon and Imperva it was discovered that many believed that compliance was an intrinsically expensive procedure, which discouraged business owners from even attempting to follow the guidelines.
Imperva’s Amichai Shulman said that small businesses should consider the PCI DSS as a way of mitigating the risks of security breaches and data loss. He cited a recent hack suffered by an online store which originated from a single insecure application that failed to meet industry standards, making it easy for cybercriminals to steal the payment card details of the site’s customers.
However, Mr Shulman added that credit card companies needed to work with small businesses closely in order to ensure a wider level of acceptance and ultimately better data security for all.