Credit-card compliance in progress
Hackers began directing wireless equipment at Marshall's and T.J.Maxx stores from Minnesota to Miami, beginning in July 2005. By the time the security breach was discovered a year and a half later, the hackers downloaded as many as 90 million credit card numbers from the stores owned by TJX Companies.
Credit card companies have been increasingly adamant that retailers protect card numbers, and they've been targeting smaller and smaller companies.
Complying with credit card standards hasn't been the same since. Financial companies, armed with a widely known and frightening security breach expected to cost over $1 billion, has increased pressure on retailers that take credit cards to comply with standards.
While credit card companies' main concern has focused on larger retailers that take more credit and debit cards, they've started to focus their attention on smaller companies, said Seth Peter, chief technology officer for Minneapolis-based technology security consulting firm Netspi. "Visa is working its way down the food chain," Peter said.
Peter and company CEO Deke George started Netspi in 2001 and the company has built a substantial business helping companies comply with security regulations - such as the Health Insurance Portability and Accountability Act, which requires numerous privacy protections in health information.
In recent years it has worked with retailers to help them comply with security standards from the Payment Card Industry, the credit card trade group that sets requirements retailers must follow to protect credit and debit cards.
Retailers are categorized based on the number of credit-card transactions administered. Companies with heavy credit card usage, such as large franchise systems like Carlson Companies, are categorized as Level 1. Those retailers must have their systems audited every year to ensure compliance with PCI standards. Less heavy Level 2 users do not have to undergo annual audits, but they do go through more stringent requirements than smaller companies categorized as Level 3 or Level 4.
Netspi, which works with franchisors like Minneapolis-based Carlson and Michigan's Domino's Pizza, performs the annual audit. It also consults with companies on credit card security, and certifies POS systems to ensure they comply with PCI standards. Peter noted PCI has a list of approved systems. Systems that aren't certified have to go through a more rigorous approval process.
As the TJX case proved, however, some companies simply don't follow standards. That company apparently didn't follow nine of PCI's 12 security guidelines. "If you had a firewall at your home computer, you had better security than TJX did," Peter said.
Retailers can be fined up to $500,000 if their security is breached, though that amount may not necessarily deter larger companies, said Netspi's Alex Crittenden. A bigger problem for companies is the damage that a breach can do to the brand.
Also damaging is the cost of a security problem - TJX's breach could ultimately cost the company hundreds of millions of dollars. For a smaller company that cost could come in the form of having to follow additional regulations.
Smaller companies that have a security breach must then follow the same regulations as the largest retailers. The cost can be enormous, because it can involve major changes to security systems and those companies must submit to an audit from a company like Netspi every year.
Companies must comply if they will be allowed to accept credit cards. "It's a reasonable cost now," Peter said, "it'll be an unreasonable cost after a breach." Companies could decide not to take credit cards, as some invariably do, but they stand to lose customers in a world in which plastic is increasingly the main form of currency.
The biggest security problem companies have, Peter said, is keeping their credit card systems separate from other systems that connect to the Internet. Separating those systems can keep basement-dwelling hackers from gaining access to a retailer's network to fish around for credit card numbers. This would also keep workers from accidentally uploading viruses when they plug their home computer into the work network.
He also said that the company works with retailers to ensure that they have adequate systems in place to ward against any kind of "malware," including spyware and viruses that can take root in a system and steal information like credit cards - then send it to another computer through an Internet connection.
Wireless technology, of the type that was exposed by the TJX hackers, is another area the consultants look for. But Peter noted that the highly publicized hack worked to scare enough retailers that many are simply not using the technology, at least for their back-office systems. Even so, those that do use wireless need to employ sound encryption technology.