"The fact is, the criminal who develops a targeted attack is wilier and more patient than the average work-a-day phisherman. He's spent time learning about your organization, about your employees, about your business partners. He's worked out ways to sneak around the major players in your defense —spam filters, firewalls, endpoint security, SSL encryption, up-to-date anti-virus software —and slip in through the tiny cracks. Thus to thwart targeted attacks, you need to find those little cracks and fill them."
"The fact is, the criminal who develops a targeted attack is wilier and more patient than the average work-a-day phisherman. He's spent time learning about your organization, about your employees, about your business partners. He's worked out ways to sneak around the major players in your defense —spam filters, firewalls, endpoint security, SSL encryption, up-to-date anti-virus software —and slip in through the tiny cracks. Thus to thwart targeted attacks, you need to find those little cracks and fill them."Excerpt from Sara Peters, "The Devil's in the Details and the DLLs," Alert newsletter, Computer Security Institute, August 2007 (www.gocsi.com).
When online natural products retailer Aspen Grove Market closed up shop in January 2008, not only were company directors saddened by going out of business, but, to add insult to injury, hackers stole customers' credit card information. Executives at the Boulder, Colo.-based company were not at liberty to discuss the case with The Natural Foods Merchandiser because of the ongoing FBI investigation, but the incident raises the question: How secure is your customer database?
Perhaps the best case study for retailer vulnerability from credit card theft is the TJX security breach. The incident, now categorized as the largest customer-data breach in history, happened because of outdated and poorly managed systems at the Framingham, Mass.-based parent company of TJMaxx, Marshalls and HomeGoods. Early accounts recorded the theft as encompassing 45 million records, but recent estimates were as high as 94 million records of credit and debit cards.
In all, the theft translated to about $100 for each lost record for TJX as a result of stock declines and related charges, including fines, legal fees, notification expenses and brand impairment, according to IPLocks, a compliance and database security company based in San Jose, Calif. It was a high price to pay, but worse yet: Because TJX delayed informing customers for a month, a slew of class-action lawsuits were filed for additional tens of millions of dollars from dozens of American states, the United Kingdom and six Canadian provinces.
"Unauthorized access and use of retailers' customer data is a double hit —first to our customers but also to retailers themselves," says Joseph LaRocca, National Retail Federation vice president for loss and prevention. "The minute customers stop trusting a retailer with [their] personal information, that retailer is doomed to fail."
There are differing opinions on how to solve the problem of credit card theft. Visa has implemented the Payment Card Industry Data Security compliance rules (see sidebar). By the end of 2007, retailers that accept Visa were supposed to be compliant with the standards. Until recently, the primary focus was on large- and mid-scale retailers, called Level 1 and 2. Now Visa is shifting its attention to e-commerce and Level 3 and smaller Level 4 retailers (see table). Level 4 merchants, 6 million in number, process 32 percent of all Visa transactions, second to Level 1 merchants.
NRF Chief Information Officer David Hogan questions whether the often expensive and confusing PCI standard is the real solution. "If the goal is to make credit card data less vulnerable, the ultimate solution is to stop requiring merchants to store card data in the first place,"?he says. "Instead of making the industry jump through hoops to create an impenetrable fortress, retailers want to eliminate the incentive for hackers to break into their systems in the first place."
Credit card companies typically require retailers to store credit card numbers anywhere from one year to 18 months to satisfy card-company retrieval requests. NRF suggests that retailers should have a choice whether they want to store credit card numbers at all.?"Credit card companies and their banks should provide merchants with the option of keeping nothing more than the authorization code provided at the time of sale and a truncated receipt," Hogan says, "rather than requiring merchants to keep reams of data for an extended period of time, which puts retail customers at unnecessary risk."
It's all about data storage, agrees Fred Thiele, chief operating officer for Laconic Security, a Colorado-based information-security consulting firm. For this reason, Thiele and other security experts say it's important to first determine where your business is most at risk. For instance, is it wireless-technology systems, application security or data encryption? Thiele says the increased use of point-of-sale terminals connected to high-speed Internet and wireless technology leaves retailers of all sizes exposed to potential theft, especially if the POS systems are outdated. This is where seeking advice from a consulting firm may be the best use of resources.
Thiele warns, though, don't overspend. In some cases, the first step may be as simple and inexpensive as making sure servers are locked in a secure room, and cutting off systems that store data. Start by thinking about exactly where all those credit card numbers might be stored —perhaps on personal computers, inside spreadsheets and in all those backup tapes, says Tom Wager, chief financial officer for Laconic Security. "Ask, ?What is the absolute minimum amount of data I need to do my business?' ... Then start shredding and purging."
If all this seems to be confusing, consider that the initial costs for securing your IT systems far outweigh the financial weight of trying to correct a data breach. The cost for developing a security system varies by company size, but most companies spend between 1 percent and 5 percent of their overall IT budget on security, according to the Computer Security Institute. In contrast, a data breach ranges from $90 to $305 per lost record. And the damage to your reputation is far more difficult to regain. Security experts ask, what can happen if you fail to implement IT security rules? The answer: Ask TJX.
Kimberly Lord Stewart is a Longmont, Colo.-based freelance writer.
Natural Foods Merchandiser volume XXIX/number 4/p. 12,15