Cleaning House By Markku Willgren, North American Vice President of Business and Sales Development, Blancco
Recently, retailers have made strides in protecting credit cardholder data as part of their efforts to comply with Payment Card Industry (PCI) Data Security Standards (DSS), but small and mid-size merchants lag behind their larger counterparts. Also, even PCI-compliant retailers are challenged to account for all locations where cardholder data is stored throughout company networks, which is a critical component of DSS.
The PCI Council created DSS in 2004 to protect consumers from the many high-profile network breaches that have compromised millions of credit and debit cards and cost retailers millions of dollars in fines. With regard to protecting stored cardholder data, Requirement 3.1 of the DSS states:
"Keep cardholder data storage to a minimum. Develop a data retention and disposal policy. Limit storage amount and retention time to that which is required for business, legal, and/or regulatory purposes, as documented in the data retention policy."
One way merchants can avoid keeping data longer than required is by implementing continuous data housekeeping practices that permanently erase PCI data files in temporary and/or redundant storage areas. To do so in an enforceable and auditable manner that complies with DSS, IT administrators need a centrally managed and automated method of housekeeping that specifically targets PCI information.
Data Vulnerability Visa estimates that three-quarters of its Level 1 retailers (those processing more than 6 million Visa transactions per year) now comply with DSS, while two-thirds of Level 2 retailers (1 million to 6 million transactions per year) and just 54 percent of Level 3 retailers (20,000 to 1 million transactions per year) are compliant. Figures were not released for Level 4, the smallest retailers, but Visa has noted that compliance in the category is "low."
Despite the growing number of companies reporting PCI compliance to Visa (the only credit card company that releases such figures), doubt remains as to whether retailers and their IT departments really have a handle on where all PCI data resides. In today's sprawling company networks, multiple copies of this data are easily conveyed throughout store operations, accounting, data centers and other departments if not closely monitored.
Also, there may be shortcomings in the relatively new and evolving PCI standards. In March 2008, Hannaford Bros. Co., a PCI-compliant supermarket chain with 165 stores, informed customers that unknown intruders had accessed its systems and stolen about 4.2 million credit and debit card numbers. Hannaford has reported 1,800 cases of alleged credit card fraud as a result and is currently faced with a class action lawsuit. Although not confirmed, evidence thus far points to a breach during a wireless transaction, but Hannaford said it had recently updated its wireless encryption routine.
Whether stored or in transit, encrypted data is vulnerable. If stored too long in locations ranging from Point-of-Sale (POS) systems to store servers and data centers, this data is susceptible because its encryption status must be continually updated to prevent hacking. Also, partial insiders such as technology vendors and outside maintenance personnel may have passwords to company computer systems or "keys" that can decrypt encrypted data. However, the permanent erasure of data at appropriate intervals eliminates the need for the computationally demanding task of encryption and stops the proliferation of multiple PCI data copies.
In most retail environments, data destruction occurs in an ad hoc fashion. While there may be policies associated with this task, especially when it comes to asset reuse and end-of-lifecycle equipment retirement, these are most likely not standard processes. Therefore, each location, division or department tackles data destruction the best they see fit, if they remember to do so at all.
Permanent data erasure involves much more than basic "Delete File" and "Empty Recycle Bin" commands, which only alter drive structure, leaving data recoverable with common software tools. Also, the sheer volume of transactions makes these commands too laborious for POS staff, or even store and data center IT personnel, to manage and document for DSS compliance purposes.
Finally, the ability to specifically target PCI data is more refined than full hard disk data content destruction and requires a tool that can isolate this data while leaving operating systems and applications intact on storage devices.
Housekeeping Central
To monitor and enforce "data destruction and retention policy" as a means for achieving and even surpassing PCI standards, IT departments need a centrally managed tool that automates data housekeeping for the entire retail organization, scaling from POS/desktops to store servers and data center storage devices. This tool should permanently destroy sensitive information with multiple overwrites of PCI files, recycle bin and empty disk space on a time- or event-driven basis, without impacting other data.
For example, IT administrators can set the criteria for automated deletion of cardholder data on all POS systems throughout the network at intervals determined by the company's data retention and disposal policy. This deletion can also be triggered by an event, such as the transfer of the PCI data from the POS system to a store server.
Likewise, administrators can set the interval or event for erasing PCI data from store servers, such as nightly batch processing of transactions, as well as from back-office systems and all points through the data lifecycle, "as required for business, legal, and/or regulatory purposes" in the DSS.
With automated data housekeeping, data erasure activities are monitored and logged to create documentation demonstrating PCI compliance. According to DSS Requirement 10: "The presence of logs in all environments allows thorough tracking and analysis if something does go wrong."
In comparison with elaborate anti-virus and firewall security, the expense for an automated data housekeeping tool is relatively low. This is especially true if the cost of automated housekeeping is compared with what a company could lose in dollars and public trust should a breach of stored data occur.
