Defeat the hacker
Credit industry PCI standards protect customer data
and your business

By Keith Reid

Credit-card fraud is nothing new, but the scale at which it can be committed has reached new heights in today’s Internet world. In May 2005, a hacker penetrated the database at CardSystems Solutions Inc., an end-to-end payment processing solutions provider, and accessed more than 40 million credit-card numbers belonging to U.S. consumers. In 2001 the online gift certificate company Ecount was compromised by a hackers who gathered the personal data of 350,000 customers and demanded $45,000 to keep from exposing the information. When the demand was refused, the information was posted on the Internet.

A variety of retailers have been hit by “skimming,” where an employee swipes the credit card a second time on a personal digital assistant with a card reader attached, to capture the magnetic-stripe data. This type of fraud has moved to the gas pump. Criminals have used a master key to unlock a dispenser service door and insert a cigarette-sized device that captures the card data during a pay-at-the-pump swipe. There have been notable cases of dispenser skimming in Florida and California, and between Sept. 21 and Oct. 2, 2005, criminals apparently used some form of dispenser card skimming to steal credit-card data from some 600 Sam’s Club customers.

A similar skimming approach targets ATMs, with a slip-on attachment that goes over the existing card reader and looks like a natural part of the unit. The ATM functions normally while the additional card reader captures the mag-stripe data during the swipe, and a wireless camera hidden in a false brochure box captures the pin-pad number.

In an attempt to address these new digital threats, and unify the security efforts throughout the credit industry, Visa U.S.A. Inc., MasterCard International Inc., American Express, Discover Card, Diners Club International Ltd., and JCB instituted the Payment Card Industry data security standard June 30, 2005. PCI requirements now form the core of the card issuers previously proprietary data security programs. The PCI standard covers 12 security-related requirements:

1. Install and maintain a firewall configuration to protect data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
3. Protect stored data
4. Encrypt transmission of cardholder data and sensitive information across public networks
5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and applications
7. Restrict access to data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
12. Maintain a policy that addresses information security

Merchants that process more than 6,000,000 transactions per year, or have suffered a hack or an attack that resulted in an account data compromise are required to have an annual on-site PCI data security assessment and a quarterly network scan to look for potential openings that could be exploited. Various criteria are in place for merchants conducting e-commerce at lower transaction levels. For the rest of the merchants, compliance is mandatory but formal validation is optional. Acquirers and other third-party providers have their own set of requirements, and various hardware security efforts have also been moved into the PCI process. Failure to comply can result in fines, restrictions or being prohibited from using the credit programs.

“The whole purpose of these guidelines is to make people aware that the data they have needs to be much more securely protected,” said Brad McGuinness, vice president of product development for San Jose, Calif.-based VeriFone Holdings, Inc. “This push started all the way back when we used to print full names and card account numbers on receipts. Then you had account masking which took a number of years to implement, and now we’re taking the next step in looking at where the information is stored and how much is maintained all the way through the complete enterprise.”

The move to rationalizing programs to PCI was also seen as being a needed development by the entities that had to interact with the card brands and their previous collection of proprietary standards and requirements. “The payment card guys have done a very good thing, and that’s to get their heads together and globalize their standards,” said Mike Finley, vice-president of global product marketing for Atlanta-based Radiant Systems. “We had just a fruit basket of standards that in some situations were conflicting. There was Secure Pay and CISP, a Visa PED standard for pin pads — so many different things. It was intensely confusing for the retailers as well as their suppliers. In our case, it was costing us a whole lot of money to keep certified on a lot of different standards. So they’ve gotten together and said PCI is one standard for the payment-card industry, and it has chapters that relate to payment cards, PIN numbers, hardware software and all sorts of things.”

The Merchant
In addition to complying with their own PCI requirements, the acquiring banks are responsible for ensuring that merchants are compliant with PCI and, along with merchants, face fines of up to $500,000 per incident if the data is hacked. Most petroleum/convenience retailers would fall into the Category 4 level, which means they are required to comply, and it is recommended that they fill out an annual PCI self-assessment questionnaire (75 yes-or-no self-assessment questions) and undergo a recommended annual network scan.

There are indications, through surveys and anecdotal reports, that many merchants have trouble understanding all of the questions asked on the questionnaire, and that some are not putting the proper effort into making sure their operations are secure.

“The biggest challenge today that I see, is that while everybody is required to be compliant very few are required to be validated as compliant,” said Phil Mellinger, chief information security officer for Greenwood Village, Colo.-based First Data Corporation. “Generally, they go after the very largest brick and mortar merchants and perhaps the largest 5,000 e-commerce merchants. Beyond that, it’s all optional. My personal belief is that any merchant that is connected to the Internet is really susceptible to tremendous risk and should really be required to take part in some low-cost assessments. Clearly, it would have to be streamlined and simple so that the mass-market actually understand what they’re going through.”

Although a petroleum/convenience retailer may not be as vulnerable as an e-commerce merchant, there are valid data concerns that need to be addressed. Companies that operate with dedicated “closed” IP networks or dial-up lines face limited risk. However, those that use the open Internet for transactions, linking sites to the home office or even to facilitate e-mail and Web browsing at the store or home office face the risk of a hacker, perhaps one in a foreign country thousands of miles away, infiltrating their network.

It is possible, but complicated, to intercept data as it is routed through the Internet. For the greatest security, transaction data should be encrypted. The greater risk comes from a hacker penetrating the network and accessing critical databases or informational files. Customer credit card mag stripe data should not be stored in this type of retail operation, but that doesn’t mean that some retailers capture that data for other purposes or that vulnerabilities exist for an outsider to capture that data.

“I think people can come up with reasons to store magnetic-stripe data such as resubmitting transactions to get better rates or to keep data on your customer base, trends inventory — all sorts of things,” said Mellinger. “Or, a merchant could be working with a software vendor that at one time, for one customer, maybe even in another industry, built in the capability to capture this data. Maybe even for a valid reason. But now they’re selling that software to a whole bunch of different merchants and that feature still exists and a lot of the merchants may not even know that it exists. So we encourage merchants to find out whether their software vendors are inadvertently storing this data. There is also a push in the industry to have independent assessments of software that is being deployed on a large scale to make sure that it is not doing anything that goes against best practices.”

The PCI requirements also make sense for solid reasons that are unrelated to credit-card transactions. These same network vulnerabilities allow hackers access to company Web sites, payroll data (which has been stolen and publicly posted) and personal employee information that can facilitate identity theft. A hacker could just go in and maliciously or accidentally damage databases and other digital resources on the network with devastating consequences for the retailer.

Hardware manufacturers
A variety of hardware security standards are also moving under the PCI umbrella. “Hardware has moved from being self certified to in many cases, to lab certified in order to be approved for the networks,” said McGuinness. “The PCI PIN Entry Devices security standard is so much more secure than anything in the past, that it would take a significant amount of money to be able to attack one of those devices. This is just another check box on the list a retailer goes through with their compliance.”

Hardware shouldn’t be storing complete mag-stripe data except for use in store-it-forward applications that allow credit transactions to occur during periods when the external network is down due to a technical disruption. This data may or may not be encrypted. Once the network is back up, the transaction can proceed as normal. This is not seen as a major concern since it is difficult to accomplish a hardware hack. More to the point, hardware is required to perform functions like data encryption that comes into play once the data leaves the device and enters the network.
Although hardware manufacturers are pleased to have everything moving under one, unified roof, there have been some issues in making sure the standard is reasonable when meeting the very specific needs of retailers. Fortunately, these issues are generally being addressed in a reasonable manner. “Any user access to the data must be protected by strong passwords — 14 characters that contain a combination of text, numerical and special symbols and that those be redone once a week,” said Chris Whitley, director of global payment systems for Greensboro, N.C.-based Gilbarco Veeder-Root. “If you are the database administrator at a big-box retailer you probably need to be doing that. But if you take it verbatim, that means that a point-of-sale cash register would have to follow that with every cashier. We’ve had some monitors come in and take a look at it and agree that that did not make any sense.”

Whitley also noted that the nature of dispenser transactions in the industry bring with them additional considerations, that are being incorporated into the Automated Fueling Dispensers classification. “Trying to have the gas pump just meet the pin-pad rule just doesn’t work well with car washes and such,” he said. “You cannot block those down the way you would with a pin pad.”

Skimming at the dispenser is not addressed by PCI, though it is anticipated that the dispenser manufacturers will be looking in to making their equipment more secure. The retailer can decrease this vulnerably to some extent through better personnel training in monitoring the island or better video security and monitoring for suspicious activity.