Your Data: Love It or Lose It

As blissful consumers finished their holiday shopping, the TJXCompanies and Visa were putting the finishing touches on a financial settlement for the massive, record-breaking, headline-stealing security breach discovered nearly a year earlier.

For the better part of 2007, TJXwas raked over the coals for allowing hackers to penetrate its network over a three-year period and pilfer more than 94 million credit card records—the worst security breach in the history of the Internet to date. Visa praised TJX—Framingham, Mass.-based parent company of such well-known retail brands as T.J. Maxx, Marshalls and HomeGoods—for resolving its security measures and creating a $41 million settlement fund to compensate nearly 95 percent of the affected customers and banks.

“We are pleased with the overwhelming response from issuers and appreciate the cooperation TJXhas shown during this process,” said Ellen Richey, head of global risk management for Visa, in a joint statement released with TJXin December. “The alternative recovery solution Visa and TJXdelivered to the marketplace demonstrates how payment system participants can resolve differences for the benefit of the entire system.”

Part of the settlement requires TJXto act as a promoter—at least four times this year—of the Payment Card Industry Data Security Standard (PCI DSS, commonly referred to as PCI). This means TJXexecutives or representatives will take to the stump to endorse and evangelize the standard that they willfully ignored by not upgrading the company’s wireless network security from the obsolete Wired-Equivalent Privacy (WEP) encryption to the more secure Wi-Fi Protected Access (WPA) encryption. If TJXhad implemented some basic security improvements and complied with the PCI standard when it first received warnings in 2005, the retailer possibly could have staunched the data bleeding through its porous security. At the very least, TJXsecurity and IT staff might have discovered the breach nearly a year earlier.

PCI isn’t impenetrable to hacker attacks and won’t guarantee data protection. It does, however, set a minimum level of protection and assurance for the governance and safeguard of credit card data handled by any organization that accepts credit card payments. While PCI compliance has risen in the wake of the TJXbreach, analysts and standards enforcers agree that there remains a constant tug of war between security and the cost of compliance.

“If you show this to any security person out there, they’ll tell you that there are no alien concepts in this and it is nothing new,” says Bob Russo, general manager for the PCI Security Standards Council, the payment card industry’s outreach arm. “These are best practices in the industry—not just payment card security, but security in general. Whenever somebody says, ‘This is what you should do,’ there is always pushback.”

While 2007 was a record year for both security breaches and compromised data, TJXremains the standout (see “2007: A Year of Record Data Breaches,” p.36. The company declined requests for comment, but its Securities and Exchange Commission filings and legal disclosures associated with a number of lawsuits indicate that the total cost of the security breach could top more than $250 million. According to its third-quarter SEC report, TJXexpects to suffer from the fiscal aftermath of the breach through 2010.

As new deadlines approach and more merchants and retailers fall under PCI’s regulatory scope, TJXserves as the prime example of why compliance is essential. Understanding the standard’s intent, range and mechanics is the beginning of an ongoing process for minimizing the chances of a TJX-like repeat.

Putting PCI Into Practice

While it is unclear how much it would have cost TJXto comply with PCI and put preventive measures in place, it undoubtedly would have been less than the resulting remediation costs, fines and litigation settlements. The takeaway for similar retailers is that preventive measures clearly hit the bottom line less dramatically than the costs of delaying or ignoring security improvements or compliance.

PCI isn’t a radical reinvention of security schema; rather, it’s a codification of security best practices, many of which should be used regularly by organizations of any stature. The dozen PCI requirements include such standard security practices as installing and maintaining a firewall, encrypting credit card data when transmitted over public networks, restricting access to sensitive data, routinely testing security measures, and installing and regularly updating antivirus software (see “PCI Toolbox,” p.33).

PCI costs are heavily reliant on the security measures already in place before compliance efforts begin. Gartner estimates that Level 1 merchants—those processing more than six million credit card transactions a year—have spent about $568,000 on average to meet PCI standards (for more on PCI levels, see “PCI’s Big Umbrella,” p.32). Javelin estimates that 30 percent to 40 percent of PCI compliance spending is dedicated to reprocessing and re-engineering a merchant’s security infrastructure and determining where sensitive data is being stored. Documenting compliance efforts and security measures alone consume much of the cost.

“If you have a basic information security program in place, broadly speaking, you’re following what PCI says you ought to be doing, because you’ve got [a set] of good procedures,” says Michael Barrett, chief information security officer at online payment service PayPal, a division of eBay. “Passing PCI is mostly a question of demonstrating compliance. So it’s mostly fishing out documentation and making sure that when your operations people run quarterly scans, they keep those logs so you can later show them to the auditors.”

This was the case for Hughes Network Systems, which acts as a managed-services provider for BP Corp. North America, Blockbuster, Yum! Brands and other major merchant brands. Hughes’ clients demanded the provider adopt PCI standards to ensure their own compliance. Much of Hughes’ security infrastructure was already compliant, but certain tweaks needed to be made with transport encryption over untrusted, public networks, says Matt Kenyon, the company’s senior director of network operations and security.

“From the main front-door security, if you will, it didn’t change much,” Kenyon says. “But PCI has some specific mandates about encryption on the actual transport. So we added some new architectures to put further encryption on top of what we already had, and on our base transport, to get up to spec on compliance.”

Beyond that, the most resource-intensive part of complying was getting ready for the auditors, a process for which Hughes enlisted the help of IBMsecurity consultants.

“We already had documents and policies and procedures,” Kenyon says, “but in order to get through the PCI compliance, what IBMhelped us with was putting that into a language that somebody outside of our own organization understands. And so it makes the compliance auditing process much easier.”

Even with security methods already in place, many organizations have still needed to make major infrastructure changes to meet specific PCI standards. For example, Bwin, a European gambling site, had to rebuild its payment infrastructure to more cleanly organize and segment it from the rest of Bwin’s systems. It was an intensive 10-month process.

“We took the whole payment infrastructure out of the Bwin infrastructure and rebuilt it,” says Oliver Eckel, Bwin’s head of corporate security. “The big challenge was to do it in a PCI-compliant way, which basically was a really big task on the documentation side.”

Of course, department stores, restaurants and e-commerce portals are affected by PCI compliance requirements. Also under the PCI umbrella are movie theaters, sports stadiums, museums and hospitals. Even an organization such as the National Aquarium in Baltimoremust comply, because it accepts credit cards for tickets, concessions and donations. While caring for aquatic animals is the aquarium’s primary mission, PCI gave its IT staff justification for security spending.

“The benefit of PCI is that it usually helps in freeing up dollars for what were perceived as risk points that you couldn’t necessarily get the budget for in the past,” says Hans Keller, the aquarium’s chief technical officer.

Prior to getting a call from the bank about PCI, Keller and his staff had been hoping to pick up a security information management system to fill in some holes within the aquarium’s security program, but they couldn’t convince management to allocate the cash. PCI changed the situation, and now the organization is running the TriGeo Information Manager System, which greatly aided its compliance effort.

“When you look at the PCI standards, for the most part 90 percent of those things are things that companies should be doing anyway,” Keller says. “Most of the areas we were already fairly well compliant with, but there were six or seven areas where we weren’t compliant, and TriGeo perfectly plugged all those holes.”

Making the Compliance Case

TJX’s disinclination to undertake the costs to execute meaningful security improvements vividly illustrates the push-pull relationship credit card processors such as Visa, MasterCard and American Express have had with merchants since the uniform data security standards were first established in 2004.

According to Gartner research analyst Avivah Litan, compliance pushback is common at most organizations, which view security as a cost center—or a drain on revenue and profit because it offers no appreciable return on investment. “Unless you’ve been contacted by your bank and you’ve got a deadline and someone’s breathing down your neck, you’re not going to spend extra on security,” Litan says.

Ever since the payment card industry first released its set of security standards, credit card companies have been walking a fine line between maintaining client satisfaction and cardholder security.

“They are as dependent on the retailers as the retailers are dependent on them,” says PayPal’s Barrett, who serves on the PCI Security Standards Council’s advisory board. “The only thing they can do is essentially what they’ve been doing, which is [considering] how you cajole the industry into complying. How do you shame them? How do you persuade them financially, by either giving them credits where appropriate, or giving them debits where appropriate?”

Since 2005, some of that leverage has been attained through fines levied by the card companies onto bank processors, which then pass the cost down to those merchants in PCI violation. Visa is the only company that has publicized the extent of its enforcement efforts: The company reportedly dinged its merchant members for a total of $3.4 million in 2005 and $4.6 million in 2006.

Until recently, though, these fees were mostly a blunt weapon against the most egregious offenders. According to a Gartner analysis, the majority of past years’ fines were levied in the most extreme cases—either as a result of a breach or because the company was still storing sensitive data from cards’ magnetic strips that could give criminals the means to manufacture counterfeit cards. Instead, the payment card companies have tried to target much of their effort toward education and awareness campaigns.

In September 2006, the card companies rolled out the PCI Security Standards Council in conjunction with its first major refresh of the standard, PCI DSS1.1. In addition to the council’s outreach efforts, the major credit card brands have driven adoption in the past year by establishing compliance deadlines for the largest merchants, to create a heightened sense of urgency. Visa set a deadline of Sept. 30, 2007, for merchants with more than six million transactions per year, Level 1 merchants, warning that they would be fined $25,000 per month thereafter for noncompliance. Similarly, those merchants with one million to six million transactions annually, Level 2 merchants, were given a Dec. 31, 2007, deadline, with $5,000 fines hanging over their heads.

In October 2007, Visa reported that compliance rates among Level 1 merchants had jumped from 36 percent in December 2006 to 65 percent. Among Level 2 merchants, compliance had risen from 15 percent to 43 percent during the same time period. All told, these vendors make up two-thirds of Visa’s transaction volume.

While a high level of noncompliance remains, it is clear that the card companies are making headway.

“There is unanimous agreement among all affected players in the PCI space that there have been considerable improvements in PCI education, outreach, communication and standardization of requirements,” said Javelin strategy and research analysts in a November 2007 paper on PCI compliance. “Two years ago, merchants were focused on why they needed to comply. Now, the majority of merchants are more concerned about how they can become PCI-compliant and successfully expedite the process.”

The colossal TJXbreach boosted PCI compliance and gave the PCI Security Standards Council newfound credibility, according to Javelin and other industry observers. Enterprises often step up standards compliance and security efforts following a major breach at a peer company. Some observers are hopeful that the worst-case scenario has forced retailers to finally pay attention to what the payment card industry has been preaching for years—they are not only vulnerable, but accountable.

“The court filings and proceedings surrounding the TJXcase have illustrated the vital importance of protecting this data properly, and having a functional information security program in place,” Barrett says. “And I think that this stage—the level of fines, settlement costs, reserves, etc., that TJXhas now held aside for this—has absolutely and vitally illustrated how important it is that companies don’t take this stuff for granted, and that we do make sure that they are properly protecting this information.”

Nevertheless, ambiguity, high costs, and fear of inhibiting productivity, as was the case with TJX, gives some organizations cause to delay or ignore security standards. As a result, the chorus of consumer complaints is causing federal and state lawmakers to consider legislating standards similar to PCI.

Technically, Compliance Is Tough

PCI mandates security measures that any merchant should already have in place. Nevertheless, compliance is fleeting among larger retailers and other organizations because of the complexity of security technology and the difficulties of increasing security without impeding productivity and operations.

“From the folks I’ve talked to, I would say there are just pieces that aren’t in compliance for most large merchants,” says Diana Kelley, head of the security division of technology analyst firm Burton Group. “There will be a couple of things that were flagged on the audit, and those things may be very difficult for them to fix.”

In many cases, Kelley says, PCI compliance is an issue of dealing with legacy systems that are difficult to harden without breaking. According to VeriSign, a provider of security services and digital certificates, most organizations fail the third PCI requirement: full database encryption. Many older databases need to be restructured to accommodate full encryption, an arduous process that Gartner says could take up to two years to complete.

“These systems are usually business critical; retailers can’t withstand that kind of performance hit,” says Phil Neray, vice president of marketing at Guardium, a database security company.

The payment card industry is not unsympathetic to such technical challenges. PCI allows for a compensating control that lets an organization install database monitoring in combination with medium-level encryption until it can employ full database encryption.

“The benefit is that it doesn’t require any changes to your database or your applications,” Neray says.

Even if affected organizations do everything they can to comply with PCI, they still can’t control their vendors. This has become one of the major PCI compliance issues: vendors failing to provide PCI-compliant products and services, making it more difficult for organizations to receive certification.

The National Aquarium’s PCI compliance was delayed until January because of its ticketing vendor, Paciolan. Although Paciolan released updates last year that brought its venue ticket purchasing systems into compliance, the early version of those updates broke a number of the aquarium’s systems. As a result, the organization had to wait for fixes from its vendor to become compliant.

A service provider could pose similar problems. Considering that Hughes, as a managed services provider, is only one of nine U.S.companies certified under PCI to transmit credit card information, there are probably numerous gaps within many organizations’ outsourcing chains.

In addition to the standards themselves, some believe the auditing ecosystem developed by the PCI Security Standards Council needs improvement.

According to the council’s requirements, the annual on-site audit review “is focused on any system(s) or system component(s) related to authorization and settlement where cardholder data is stored, processed or transmitted.”

The typical audit includes not only a review of security logs, IT procedures and the like, but also a penetration test of systems that handle cardholder data. The entire audit process can take anywhere from a couple of days to many months, depending on how many problems the auditor flags and how long it takes for the business to correct deficiencies.

The difficulty is that there aren’t many auditors certified by the council to conduct these assessments, and the guidelines are nebulous enough to be open to interpretation.

“The real challenge is to find a more standardized way of [determining] how the qualified security assessors work—how this whole ecosystem works,” says Rani Osnat, vice president of marketing at database security firm Sentrigo. “Because the problem right now is that you may have three different PCI-accredited auditors do a PCI audit for you, and you could get three different results.”

Standard Not Set in Stone

The PCI Security Standards Council has got its work cut out. Not only will it need to help laggards over the last hump, but it must maintain the standards so they’ll keep up with the most recent threats.

“It’s a changing landscape, and the hackers are getting smarter,” Russo says. “Will the standard ever be complete? I doubt it. It’s more of a journey than a destination.”

Although the council has yet to release specifics, most insiders expect a new PCI standard update involving the encryption of personal identification number (PIN) entry devices, the establishment of payment application best practices, and tweaks to the self-assessment questionnaires for Level 3 and Level 4 merchants. But merchants shouldn’t be wary, Russo says, since all changes will be made with ample contributions from advisory board members from all parts of the payment card lifecycle.

“Contrary to popular belief, it is not our intent to bring out a new standard to put everybody out of compliance,” Russo says. “And we don’t sit in an ivory tower and pick this out of the air; it’s all based on real-world experience from participating organizations.”

The real goal, Russo says, is to keep cardholders safe. And while most security gurus would agree that PCI isn’t a silver bullet, it will go a long way toward shielding retailers’ records from the bad guys.

Unfortunately, this lesson wasn’t learned soon enough to prevent the TJXgaffe. Many experts believe that if TJXhad been PCI-compliant prior to its breach, the situation would not have been as severe as what came to pass.

True, WEP wireless security was the first point of penetration in the TJXhack, and at the time PCI standards did not require WPA encryption. But experts believe that it really was the mediocre security endemic to the TJXinfrastructure that gave attackers such unlimited access to customer data. TJXsecurity and PCI compliance efforts had so many holes that what could have been a minor wireless hack turned into a massive breach.

“If TJXhad been PCI-compliant, there is no doubt that this breach could not have had the scope or lasted the length of time that it did,” says Sentrigo’s Osnat. “It’s very, very unlikely. They did not get access to the hundred million credit card numbers just by intercepting wireless transmissions. That would have taken a very long time, much longer than 17 months.”

Perhaps one of the biggest problems TJXhad at the time of the breach was not just that it was falling short of PCI mandates, but that its efforts to comply were geared toward adhering to the letter of the law rather than the spirit of the law. The e-mails dredged up through court proceedings certainly illustrate this point. “Check-box compliance,” or establishing a set of standards that can be loosely interpreted, could be one of PCI’s chief weaknesses. In the end, the question will be how committed organizations are to protecting customer and cardholder interests.

“PCI is helping to set a minimum standard,” says Hughes’ Kenyon. “I think what it really has done is [act as] a vehicle for education, more than anything else—to really get the message down past the IT department to senior managers.”

PayPal’s Barrett believes that early resistance was mostly a byproduct of culture shock. Many retailers and other organizations that accept credit cards weren’t accustomed to having a third party mandate security controls—sometimes involving expensive upgrades.

“I think what you’re seeing is simply the fact that as a culture, as a sort of retail payments culture, there hasn’t been enough collective attention to this,” Barrett says. “And whenever you change culture, it always takes several years, and it’s always accompanied by lots of wailing and gnashing of teeth. But I don’t think any of that says either it’s the wrong thing to do or it undercuts the inevitability of the journey we’re on, because I do think in a few years we’re going to look back at this and say, ‘What the heck was all the fuss about?’”