QUESTION & ANSWER

Cybersecurity expert sees PCI DSS problems ahead for retailers

By Robert Westervelt, News Editor 18 Nov 2008 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

As the economy turns sour more and the markets don't turn quickly, you're going to see more retail theft. Howard Glavin, principal consultant and manager of governance services, IBM ISS X-Force

The big-box retailers are slower in deploying new technologies. Does that include security?
Howard Glavin: Something a medium-sized store can do and not break the bank, like putting in a low-end firewall at each of the registers, which would cost $100 a register, is very different from a big-box store perspective. If you're talking about 50 registers, that is not a lot of money. If you're dealing with the big-box stores out there today, you're talking into the billions of dollars. It's fiscally got to be spent properly. The other thing they've got at the large big-box stores is the longevity they've got to meet. It may take them 18-24 months just to roll it all out. I don't think they are reluctant to do security. I think what you see is them spending their money wisely and moving it out at a very predetermined form, due to the accountability they have to the large corporation.

Is the threat landscape different for retailers? Is there a unique threat profile for retailers?
Glavin: Of the frauds occurring today, 70% are credit card frauds. Of the frauds that are occurring that are credit card frauds, 60% of the frauds that steal large volumes of data are inside out -- inside third parties and actual employees. The bigger you are the greater potential there is to have your data stolen. What a lot of companies spend a tremendous amount of money doing is protecting against the external threat. Yet, when I go back I've been finding that 92% is insider. Social engineering or some other method is used, but [hackers] get the information from somebody on the inside to get the data outside. That's holding true to form today and the credit card industry is saying the same thing.

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

Right now the biggest losses are occurring because of trusted third parties that are doing servicing for the big-box stores or any retail type industry. Retail by its very nature is very exposed because they have more places for loss occur.

Aren't most retailers currently using a lot of third parties for services and technology?

PCI DSS: PCI DSS 1.2 clarifies wireless, antivirus use: Version 1.2 of PCI DSS, due out in October, requires 802.1x for wireless protection and antivirus for all operating systems, according to a summary of the changes issued Tuesday. WEP to WPA: Wireless encryption in the wake of PCI DSS 1.2: The PCI Security Standards Council recently announced the upcoming release of PCI DSS version 1.2. PCI groups to focus on wireless, pre-authorization changes: The PCI Security Standards Council has started two special interest groups to focus on pre-authorization and wireless security issues.

Glavin: They do and they don't understand the risks associated with it. If you're bringing in that third party and you don't know who they are, you may be brining in somebody that really is just a startup. Depending on the size of the retailers, they likely don't have the expertise to do networking and they're hiring anybody they can get for the least amount of dollars thinking they can do it securely. These people for the most part aren't honest. Call centers with the big-box stores -- If a call center employee can get a credit card number and security code number and they only steal one or two a month, they can augment their income anywhere from $300-$600 a month. That's tax free money in the door. As the economy turns sour more and the markets don't turn quickly, you're going to see more retail theft. That's going to cause the costs to go up, the profit margins to go down and going to hold the economy down.

What would be a red flag if you bring in a third party?
Glavin: If I were bringing in a third party the first thing I would have them do is sign my information users' policy. That would obligate them literally in writing by contract that they were going to abide by all my practices and procedures. The first red flag is when they come in and say they are not going to sign individually. If all their contracts hold them harmless and they're not going to join you as far as your liability, that's another red flag. If they come in and say they operate in a secure manner, and you say, "Show me your client base" and they say, "No," that's another red flag. Any time I'm going to hire anybody sitting there as a CISO in any company, one of the questions I ask is to get three or four recommendations from their client base. I want three that are going to be positive and I want a negative one. If they're not willing to give me that one that's kicked them out, I'm not willing to do business with them.

Let's talk about point-of-sale systems. Can you talk about how companies should standardize on point-of-sale systems?
Glavin:

SearchSecurity radio:

There are requirements coming down out of the Payment Card Industry (PCI) Council that are going to dictate the type of device that you have to use; not by brand or manufacture, but by how it is protected. Simple little things such as if the case is opened, the chip fries and there's no way to use it. Because the bad guys are stealing them, remanufacturing them and putting memory chips in them allows them to steal the data after the fact. The other thing about point-of-sale devices, particularly if you go around the globe, is they're all different. Europe thought the chip and PIN was going to be the panacea of POS devices and stop the fraud, in fact they found that the same day it was released there were frauds occurring. The criminal element is out in front of this so you have to use common sense. Everybody thinks technology solves a problem; technology doesn't do anything except compound common sense needs.

The PCI Council is requiring the use of 802.11x as an appropriate level of wireless security. Is that going to be a problem for retailers?
Glavin: They said that anything that is using WEP encryption for people already having it deployed will come to end of life in 2010. For any new companies attempting to deploy it, it comes to end of life in 2009. WEP devices will not be permitted after that time. The applications behind WEP and the ability to break that technology is so prevalent, that it is becoming trivial. Every big-box store is going to have a huge problem with this because most of them are running a Symbol technology or an actual 802.11, and it's not only for wireless it's for anything that is running the WEP.

Why are companies still using WEP in the first place?
Glavin: They have wireless devices out there that won't support anything but that. If you take anybody that has global stores, how many billions of dollars are they going to spend in the replacement of that hardware? A large store may have 50 wireless devices in it.

Tags: PCI Data Security Standard,  Wireless Network Protocols and Standards,  IT Security Audits,  Identity Theft and Data Security Breaches,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT PCI Data Security Standard Chip and PIN adoption Chip and PIN adoption serves lesson for U.S. payment industry Heartland CIO is critical of First Data's credit card tokenization plan Heartland CIO on end-to-end encryption, credit card tokenization Heartland CIO on PCI, E3 project Wireless network guidelines for PCI DSS compliance Visa probes tokens, encryption for PCI card data protection Feds push cybersecurity jobs, PCI DSS changes ahead. Voltage, RSA spar over tokenization, data protection Experts, vendors search for PCI's holy grail Wireless Network Protocols and Standards Wireless network guidelines for PCI DSS compliance Best Wireless Security Products MMS messaging spoof hack could have global ramifications PCI group releases wireless security guide 802.1X Port Access Control: Which version is best for you? Wireless Security Lunchtime Learning An introduction to wireless security Lesson 1: How to counter wireless threats and vulnerabilities Risky Business: Understanding WiFi threats Lesson 1 quiz: Risky business IT Security Audits Standards compliance does not equal sound information security risk management Tony Spinelli: Prioritize Information Security over Compliance How to prepare for a FERPA audit MasterCard increases PCI compliance requirements for some merchants How to select a set of network security audit guidelines How to write a risk methodology that blends business, security needs PCI compliance requirement 11: Testing Using IAM tools to improve compliance Forensic accounting success depends on information security support HIPAA compliance: New regulations change the game

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary PCI DSS (Payment Card Industry Data Security Standard )  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary