Archive - Retail IT RSS Feed

Happy Birthday, PCI Council! Unfortunately, Compliance Is Not Enough

pci-compliance-birthday-blog-big

To honor the Council’s 10th birthday―and just in time for a new retail holiday season― let’s look back on how retail security challenges have intensified over the past decade.

The PCI Council’s inaugural year coincided with one of the first highly public, holiday-season retail breaches when, in December 2006, retailer giant TJX acknowledged that they had been the victim of a major breach, stemming from an insecure wireless network that was easily attacked by Continue Reading…

Home Depot: Yet another retail breach.
PCI compliance just doesn’t cut it

Home Depot Security Breach

What do Home Depot, UPS, and Target have in common? Well, aside from all providing budget-friendly furniture, all three have been the recent target of data breaches involving Point-Of-Sale (POS) units containing customer financial information.

Now, when a data breach occurs, someone always has to play the blame game. “It’s the stores fault. Their IT security wasn’t compliant. Clearly they should have fixed x and prepared for y…” Well, I don’t believe approaching these sort of issues from that angle is productive. Security is never infallible and *stuff* happens, so wear a helmet and get used to it or get out of the business.

If you want to blame something, blame the reliance placed on regulations as a means of securing customer information. Regulations are not, and have never been a catchall solution. A chef doesn’t make good food because their restaurant passed a health inspection, yet, in IT security, people throw around the types of compliance they have like that’s something significant. That’s not how it works. If you work in retail IT, then PCI compliance isn’t some sort badge of honor, it’s more like an acknowledgement that you’re not incompetent. If you had a room full of people and you wanted to find the most educated, you wouldn’t start by asking who completed grade-school, so if you only judge a breached business by whether it was compliant or not, you’re asking the wrong questions. Compliance is a minimal requirement and, like most minimum requirements, it logically follows that anything greater than it is better. What we need to start asking then is “could this breach have been reasonably avoided?”

These businesses were legally required to be PCI compliant, but there’s so much more to providing IT security than following some paint-by-the-numbers security guidelines. The key thing about IT security is that you can never eliminate the risk, you can only mitigate it. That leaves one question remaining, could the Home Depot breach have been reasonably avoided?

I can’t easily answer that. Depending on how you look at it, the breach was both avoidable and unavoidable. It’s impossible to know, because we don’t know if Home Depot did a good job securing their customers data, that information hasn’t been released yet. What I can say, is that if more banks had adopted chip based credit cards, then the breach wouldn’t have been as bad. Chip cards are harder and more expensive to “clone” thus making them less valuable to criminals. Would this have prevented the breach? Probably not. Would it have decreased the damage? Yes, significantly so.

If you think about it though, that’s IT security in a nutshell. There’s no such thing as absolute security. The only absolute in IT security is the absolute chance of any system being breached. P(Breach) ≠ 0 and whatnot. If someone wanted to dedicate enough resources, they could breach any system. To combat this, those in IT security must follow a constant process of checking and confirming their systems are as they should be. It’s a process of confirming that vulnerabilities are secured as they are discovered.

In summary:

Could more have been done to prevent the Home Depot breach?

Sure, there’s always more that can be done to improve security.

Does the status of their PCI compliance matter?

Not that much, except from a legal standpoint.

Would having stronger security made a difference?

Not necessarily, but it couldn’t have made it worse.

Now I’m not the kind of guy to self-promote in the aftermath of a major breach, but we have a free eBook on how AuthAnvil can help secure Retail IT. It covers how many of our features can help to meet and surpass the requirements of PCI DSS. So, if you’re interested in what PCI compliance actually requires or are looking to beef up your systems security, just Click Here.

Author: Harrison Depner

U.S. Government Indicts 5 Global Hackers in Ring Targeting Retailers

Federal prosecutors have charged one Ukrainian and four Russian hackers with stealing credit card and other financial information from companies including J.C. Penney, Carrefour, 7-Eleven, Jet Blue Airways and Dow Jones.

The indictment that was unsealed in New Jersey on July 25 details a computer crime spree that began in 2005 and netted hundreds of millions of dollars, a sum sufficient to make it  “possibly the biggest hacking scheme ever prosecuted by the U.S. government” according to government sources quoted in a Wall Street Journal article about the case.

The indictment details how the hackers scouted retailers in 2007 and 2008 to determine the types of payment processing systems in use. The hackers penetrated corporate networks and installed software that allowed them back door access the systems later.

According to the same WSJ article, the hackers used leased computers in New Jersey, Latvia, the Bahamas, Panama and other places to carry out their attacks and even set up Google alerts to let them know when the data breeches had become news so that they could stay ahead of law enforcement agencies.

The five persons named in the indictment as co-conspirators face a variety of charges that include operating a computer hacking conspiracy and conspiracy to commit wire fraud. The five are Alexandr Kalinin, Vladimir Drinkman, Dmitriy Smilianets, Roman Kotov and Mikhail Tytikov. Smilianets is in U.S. custody and Drinkman is in custody in the Netherlands pending extradition, but the other three remain at large and may be in Russia. The five allegedly stole more than 160 million credit and debit card numbers and caused a payment processor to lose of more than 200M.

The WSJ reports that Mr. Kalinin has been charged by the U.S. District Attorney in Manhattan with being a part of two separate scams, one to hack NASDAQ servers and another to steal bank account information for 800,000 accounts.

Retailers are facing increasingly frequent and costly attacks by hackers from Eastern Europe and across the globe. The costs of a data breach in retail IT can be substantial and include loss of reputation, revenue, trust and fines from card companies and regulators.

Learn some of the ways that retailers are achieving better data security and IT asset management from this on demand briefing: Retail IT 2013: Data Security and PCI Compliance.

Retail Data Security Is Bigger than Just a Data Security Solution

It may seem counter intuitive but it is true nonetheless: buying software that’s designed specifically to solve a particular problem probably won’t solve that problem by itself in today’s retail environment. And nowhere is that more true than in data security. Effective compliance and security requires a strong data security solution, a strong system management solution, and a strong complementary relationship between the two.

Continue Reading…

Efficient IT Service Desk Crucial to Success of Today’s Retailers

Today’s retail industry is built upon multi-faceted, multi-channel and increasingly complex technologies. A comprehensive and flexible retail IT service desk is crucial. A retail service desk should hold a central position in retail operations. Business management should be informed regarding the scale of what’s needed to support an increasing use of, and dependency on, technology in the retail environment.

Continue Reading…

Managing Retail Industry IT Environments with Virtualization

Business leaders in retail face different challenges from their counterparts in other industries. Retailers are being pulled toward virtualized computing because it enables them to invest less in maintaining, monitoring and updating systems and information. Business needs dictate that IT systems management resources be pooled across retail environments and shared between geographically-dispersed users.

Continue Reading…

Delivering Network IT Security for Complex, Distributed Retail Environments

Network IT security has become an increasingly complex challenge for today’s retailers. Recently, JC Penney and Burberry announced plans to equip their sales staffs with iPads. Loyalty programs are now conducted via sophisticated point-of-sale (POS) terminals. Credit card transactions are processed on a multitude of devices. Securing the retail store computing environment has never been more important than it is today.

Continue Reading…

Better Manage Retail POS Systems. Simplify Your Retail Business.

Retail chain IT administrators often spend the majority of their time fielding calls and reading emails from salespeople having trouble with their retail point of sale (POS) systems. It becomes almost impossible to keep up with all the requests coming in from the field via various channels. Lack of a centralized repository of information causes repetitive issues to recur, forcing administrators to devise stop-gap fixes instead of analyzing those repetitive issues and developing a long-term retail IT solution.

Continue Reading…

POS System for Retail: Make IT Management Challenges a Thing of the Past

The retail industry lives and dies on margins, with managers on a never-ending quest to increase revenue and decrease costs. Technology is an area of intense focus as a way to accomplish both goals. Nowhere is that more evident than in POS systems for retail, which are evolving as they incorporate multiple functions.

Retail point of sale systems typically contain a computer, monitor, cash drawer, receipt printer, customer display and a barcode scanner. Many also include a debit/credit card reader, a signature capture device and a customer pin pad. These all-in-one POS units run sophisticated software that handles several functions including sales, returns, exchanges, coupon validations, layaways, multiple payment types, gift cards, quantity discounts and more.

Continue Reading…

6 Management Capabilities of a Complete Retail IT Solution

You can say that the retail landscape is changing rapidly. Retail stores used to be stand-alone environments, but this is no longer the case. A retail store is now a complex IT environment, made up of a myriad of devices such as PC-based POS terminals, handhelds, RFID readers, manager works stations, local servers, tablets, smart phones, etc. This expanding array of devices plays a critical role in enhancing the customer experience, but it also delivers its own set of management challenges when using a retail IT solution to manage these challenges… including the fact that each store is merely an extension of the bigger IT space that comprises your retailer enterprise.

Continue Reading…

Page 1 of 212»
-->