Lock it Up
Online retailing raises a different set of security issues than brick-and-mortar operations. No matter what you do, have someone come in and do an audit of your system’s security. Perform perimeter testing of e-Commerce sites and internal systems. D
July 2007 By Powell Slaughter
Securing the business at a traditional, brick-and-mortar furniture storefront business boils down for the most part to pretty basic issues. Those include physical losses such as shrinkage through employee, customer or organized theft; and financial tampering.
Video surveillance might help prevent the first, and regular audits and controls offset the second. Taking the store to the Internet raises the stakes, though, dragging in the issue of protecting consumer information as well as the retailer’s business—along with as the need to guard the network against problems such as Web-born spam and viruses.
With merchants gathering a shopper’s credit card number and other delicate data, unscrupulous but savvy e-criminals want to use the Web to access that info.
Just ask TJX Companies—whose retail brands include T.J. Maxx, Marshalls, Winners, Homesense, T.K. Maxx, A.J. Wright and Bob’s Stores—which suffered a huge data breach uncovered and announced in January.
The breach involved the portion of TJX’s computer network that handles credit card, debit card, check and merchandise return transactions for customers of its T.J. Maxx, Marshalls, HomeGoods and A.J. Wright stores in the U.S. and Puerto Rico, and its Winners and HomeSense stores in Canada.
In the first quarter of fiscal 2008 alone, TJX recorded a charge of around $12 million, or 3 cents a share, to cover the cost of investigating and containing the breach, including enhancement computer security and systems, customer communication, and technical, legal and other fees.
The company expects to record another 2 to 3 cents a share in second-quarter charges related to the intrusion.
‘Smart Bad People’
“There are some very smart bad people out there, people trying to access credit card information,” said David Hogan, senior vice president and CIO of the National Retail Federation. “All too often I talk to people who identified credit card fraud.”
While identity theft is a buzzword among consumers, credit fraud is the most common data security problem when dealing with the Web, said Hogan, who directs numerous internal and retail industry IT initiatives and manages NRF’s CIO Council, a committee of retailing’s most prominent chief information officers. He also provides oversight for the Association for Retail Technology Standards.
Hogan spent his entire career in retail prior to joining the NRF. His experience includes serving as vice president and chief information officer of international retailer, Duty Free Americas; and has held senior level positions with The Limited Inc., serving as CIO for the company’s Lane Bryant division and vice president for specialty footwear retailer, The Kobacker Co.
Standards for Credit Card Security
The PCI Data Security Councils standards for data security include 12 steps, grouped below under general subject headings:
Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect cardholder data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect Cardholder Data
3. Protect stored cardholder data.
4. Encrypt transmission of cardholder data across open, public networks.
Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software.
6. Develop and maintain secure systems and applications.
Implement Strong Access Control Measures
7. Restrict access to cardholder data by business need-to-know.
8. Assign a unique ID to each person with computer access.
9. Restrict physical access to cardholder data.
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes.
Maintain an Information Security Policy
12. Maintain a policy that addresses information security
To further the adoption of the PCI DSS, the PCI Security Standards Council defines credentials and qualifications for qualified security assessors and approved scanning vendors. The Council also manages a global training and certification program for QSAs and ASVs, and will publish a directory of certified providers on its Web site, www.pcisecuritystandards.org.
Video surveillance might help prevent the first, and regular audits and controls offset the second. Taking the store to the Internet raises the stakes, though, dragging in the issue of protecting consumer information as well as the retailer’s business—along with as the need to guard the network against problems such as Web-born spam and viruses.
With merchants gathering a shopper’s credit card number and other delicate data, unscrupulous but savvy e-criminals want to use the Web to access that info.
Just ask TJX Companies—whose retail brands include T.J. Maxx, Marshalls, Winners, Homesense, T.K. Maxx, A.J. Wright and Bob’s Stores—which suffered a huge data breach uncovered and announced in January.
The breach involved the portion of TJX’s computer network that handles credit card, debit card, check and merchandise return transactions for customers of its T.J. Maxx, Marshalls, HomeGoods and A.J. Wright stores in the U.S. and Puerto Rico, and its Winners and HomeSense stores in Canada.
In the first quarter of fiscal 2008 alone, TJX recorded a charge of around $12 million, or 3 cents a share, to cover the cost of investigating and containing the breach, including enhancement computer security and systems, customer communication, and technical, legal and other fees.
The company expects to record another 2 to 3 cents a share in second-quarter charges related to the intrusion.
‘Smart Bad People’
“There are some very smart bad people out there, people trying to access credit card information,” said David Hogan, senior vice president and CIO of the National Retail Federation. “All too often I talk to people who identified credit card fraud.”
While identity theft is a buzzword among consumers, credit fraud is the most common data security problem when dealing with the Web, said Hogan, who directs numerous internal and retail industry IT initiatives and manages NRF’s CIO Council, a committee of retailing’s most prominent chief information officers. He also provides oversight for the Association for Retail Technology Standards.
Hogan spent his entire career in retail prior to joining the NRF. His experience includes serving as vice president and chief information officer of international retailer, Duty Free Americas; and has held senior level positions with The Limited Inc., serving as CIO for the company’s Lane Bryant division and vice president for specialty footwear retailer, The Kobacker Co.
Standards for Credit Card Security
The PCI Data Security Councils standards for data security include 12 steps, grouped below under general subject headings:
Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect cardholder data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect Cardholder Data
3. Protect stored cardholder data.
4. Encrypt transmission of cardholder data across open, public networks.
Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software.
6. Develop and maintain secure systems and applications.
Implement Strong Access Control Measures
7. Restrict access to cardholder data by business need-to-know.
8. Assign a unique ID to each person with computer access.
9. Restrict physical access to cardholder data.
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes.
Maintain an Information Security Policy
12. Maintain a policy that addresses information security
To further the adoption of the PCI DSS, the PCI Security Standards Council defines credentials and qualifications for qualified security assessors and approved scanning vendors. The Council also manages a global training and certification program for QSAs and ASVs, and will publish a directory of certified providers on its Web site, www.pcisecuritystandards.org.
