Press Room

In The News
How Retailers Can Avoid Credit Card Data Losses

By Aaron Bills, ounder and Chief Operating Officer, 3Delta Systems, Inc.

Retailers today face a "perfect storm" of security threats when it comes to safeguarding sensitive credit card data against internal and external threats - a worsening global economy, a growing underground of cyber criminals intent on stealing confidential customer and payment information, and a greater likelihood of suffering a breach if confidential customer payment and customer data aren't protected properly.

According to leading research organizations that study data theft, breaches are occurring more often and businesses are paying more dearly when their security is compromised. Those who experience a breach may suffer litigation, the loss of existing customer confidence, damage to their brand, the loss of future revenue from customers who take their business elsewhere, and fines by credit card companies for not complying with stringent Payment Card Industry Data Security Standards (PCI DSS).

The PCI standards, which have been adopted worldwide by the major credit card brands, require merchants who process, retain or transmit payment card data to encrypt that data wherever it is stored. They are considered the -foremost benchmark for cardholder account security and certify that a payment processor's products and technologies meet the most stringent industry criteria for processing and storing confidential payment data.

Laws in 44 states, the District of Columbia, Puerto Rico and the Virgin Islands also require that consumers be notified if their confidential or personal data has been lost, stolen or compromised. The bad publicity resulting from a breach, however, often makes retailers reluctant to disclose a breach.

Legislation is also pending in Congress that would require federal agencies or businesses to notify both the victims whose personal data has been breached and the media without unreasonable delay, with limited exemptions allowed for law enforcement and national security reasons. Other bills would limit how Social Security numbers are to be used and establish criminal penalties for misuse.

The Ponemon Institute found in its 2008 "U.S. Cost of a Data Breach" study that companies whose data was compromised last year paid an average of $6.65 million, or $202 per customer record, to deal with the consequences of a breach - up from $197 per record in 2007 and $182 in 2006. By comparison, retailers who were breached during 2008 paid an average of $131 per customer record in related costs.

The greatest increase in breach-induced costs was due to lost business and customer turnover - averaging $4.59 million, or $139 per compromised record. Lost business now accounts for 69 percent of data breach costs, up from 65 percent in 2007 and 54 percent in the 2006 study. Insider negligence was responsible in more than 88% of all cases.

A study by analyst firm Gartner last year found that nearly half of all retailers they researched had been hit with some kind of information security breach, yet only a small percentage actually reported the attack. Data breaches at retailers were the top cause of credit and debit card theft, accounting for about 20 percent of all incidents.

In its "Report on the Underground Economy," antivirus software vendor Symantec highlights a disturbing new trend in cybercrime: hackers are not only after credit card data, they're also seeking access to payment-processing systems so that they can check whether stolen card numbers being sold on the black market are valid.

In January 2007, the TJX Companies, Inc. - the parent of retail chains T.J. Maxx, Marshalls, HomeGoods and A.J. Wright - reported that cyberthieves had hacked into computer systems that process and store their customers' credit and debit card transactions, checks and merchandise returns. The intrusions, which occurred between 2003 and December 2006, gave hackers access to 94 million customer accounts. TJX estimates the cost of the breach at $256 million for fixing computer systems, dealing with litigation and investigations. This amount also includes a $41 million payment to Visa and $24 million to MasterCard for losses they incurred. Others expect breach-related costs will eventually top $1 billion due to legal settlements and the cost of lost customers.

Last summer, 11 people were indicted in the TJX case - the largest hacking and identity theft case the U.S. Department of Justice has prosecuted thus far.

In March 2008, a security breach at the Hannaford Bros. supermarket chain exposed an estimated 4.2 million card numbers and led to 1,800 cases of fraud. Company officials said credit and debit card numbers were stolen during the card authorization process, affecting all of its 165 stores in the Northeast, 106 Sweetbay stores in Florida and a smaller number of independent groceries that sell Hannaford products.

Even payment processors aren't immune. The massive breach disclosed last month by Heartland Payment Systems is a case in point. After receiving fraudulent activity reports from MasterCard and Visa in October 2008, forensic teams found a piece of malicious software on Heartland's network was recording payment card data as it was being sent to the company for processing by its customers - more than 250,000 businesses, 40 percent of which are small to midsize restaurants across the country. Heartland, which processes about 100 million transactions a month, says it does not know how the software got there, how long it was in place or how many accounts may have been compromised. The stolen data includes customer names, credit and debit card numbers and expiration dates.

It may be some time before the full extent of all these breaches are known and longer still before investigators catch the perpetrators.

What we do know, however, is that safeguarding credit card data is extraordinarily difficult for merchants when they do it themselves. Even if merchants use state-of-the-art technologies to store payment data internally, they need to minimize, to the greatest extent possible, the points at which that data is handled because the risks and impacts from a security breach can be devastating.

Every retailer who accepts credit cards online, at a store, by mail or by phone must ask themselves how much data should be retained, where it makes the most sense to store that data, and how best to protect it. Safeguarding customer cardholder data and conforming with rigorous PCI-DSS and government rules already in place to ensure merchants keep sensitive information secure is a significant undertaking - a responsibility that grows exponentially the larger a business becomes.

Many retailers have sales channels that require durable, ongoing access to card data - think subscription services or e-commerce websites that offer customers the convenience of storing frequently used account information. Normally, this requires storage of card account values and increases attendant risk.

One of the safest and most direct alternatives is for retailers to eliminate their storage of credit card data altogether. The premise is simple: if businesses don't keep credit card information themselves, there's nothing for hackers to steal. Outsourcing data protection, storage and processing also allows merchants to focus on their core operations while customer credit card information remains safe yet accessible off site. This is accomplished by using technology that creates aliases (often referred to as tokens, keys or reference values) to replace the actual card data being stored onsite by the retailer.

At 3Delta Systems, we've been securing credit card and other payment data for more than 2,500 companies since 2003 using technologies such as CardVaultR, a cost-effective Credit Card and Customer Identification Storage service (CCID) that relieves merchants of the burden of securely storing their customers' card transactions while promoting faster and easier PCI compliance. Technologies such as CardVault are a significant compensating control for PCI compliance, which more than hundreds of merchants and over a half-dozen major corporations have learned by using CardVault either as a standalone service or as part of their integrated systems and processes.

I'd be the first to admit that good payment system security is difficult. It's especially difficult in complex systems that allow user access. Like quality improvement efforts in manufacturing environments, data security improvement requires daily vigilance and work. One doesn't "get PCI compliant" automatically, nor should it be considered an annual audit event. PCI compliance is both a fundamental business process and a way of life inside an organization. It's ongoing. It involves continual evaluations of what you're already doing and can still do to become better at database encryption, authentication and securing both data-at-rest and data in motion.

While no payment system on earth is 100% hack-proof, every processor can and should manage the risk of a potential data breach by solving for the concept of "graceful failure." By assuming elements of your system will fail at some point and that perpetrators will gain some form of access, processors must plan for a layered, deep-defense approach to secure their system so that if one safeguard fails, other countermeasures can detect and respond to an attack. That's why we don't rely on a single security technique or technology to protect 3Delta Systems' operations and infrastructure.

While our systems and our customers' data are as secure as we know how to make them using today's technologies, we're always on the lookout for ways to toughen our defenses and get better at what we do. Last year, our business processes, systems and controls were PCI-certified for the fifth year in a row.

But surpassing - not just meeting - the PCI standards - needs to be part of our DNA as members of the payment community. Our customers have placed their trust in us, and we strive to fulfill their expectations by sweating the details every day. We find that by embedding the PCI standards and a deep ethic of security awareness throughout 3Delta Systems, our business is better-run. And by learning from the very difficult lessons of companies whose data has been breached, we can all improve our own systems and countermeasures industry-wide.

When choosing a credit card processing solution, be sure your service provider can answer best-practices questions like these:

1. Are their products certified for PCI-DSS and PA-DSS compliance by an independent auditor?
2. What risk mitigation and business continuity controls do they have in place to protect sensitive financial and cardholder data? For example, do they maintain a secure back-up copy of important customer records? Can they provide detailed logs of transactions? And are those logs and reports accessible to meet the compliance requirements of Sarbanes-Oxley law requiring publicly traded U.S. companies to have appropriate operational and audit controls in place?
3. Will they help your company securely centralize and monitor business activity?
4. Do they safely store payment level and receivables information, such as remittance and receipt data to be used for processing payments?
5. Do they enable customers to safely accept payments in various electronic formats including credit cards and purchase cards over the Internet, phone and other channels?
6. Do they enable secure, efficient distribution of payables and remittance information to payment processing networks?
7. Does their solution support secure, real-time or file-based processing of financial data?
8. For processing credit card payments, do they safely maintain cards-on-file for repeat customers, eliminate data re-entry and enable easy card record updates and additions in real time?
9. Do they support major card processing platforms and allow card-processing tools to be unbundled from the processing network itself?
10. Do they provide an integrated, cost-effective tool for outsourced data storage and retrieval, such as Credit Card and Customer Identification Storage service (CCIDs), to relieve merchants of the burden of worrying about whether their confidential and sensitive customer data could be compromised or released in the event of a security breach?