RIS ROADMAP SERIES
PCI Roadmap: Seven Steps to Tighter Data Security The rise of omni-channel retailing, with its multiplication of customer touchpoints, increasingly complex shopping journeys and consumer desire for buy-anywhere convenience, has significantly expanded retailers’ data security responsibilities. For example, the rapid rise of mobile deployments has created a steep learning curve for retail security executives seeking to ensure transaction security and prevent malware downloads onto a variety of devices. Even as new technologies demand attention, retailers must remain vigilant about protecting traditional transactions and data movement within their enterprises. This Roadmap offers seven mileposts to improved data security, from protecting in-store wireless networks to reducing the PCI scope of tokenization solutions.
SPONSORED BY
RIS Roadmap October 2011 2.indd 1
10/28/11 9:17 AM
RIS ROADMAP SERIES RIS ROADMAP SERIES
PCI Roadmap: Seven Steps to Tighter Data Security
The common saying about payment data security is that it’s a journey, not a destination. It’s impossible to make any system completely, totally, 100% secure, but retailers can go a long way toward minimizing both the likelihood and the severity of data security breaches. The rise of omni-channel retailing, with its multiplication of customer touchpoints, increasingly complex shopping journeys and consumer desire for buy-anywhere convenience, is adding many new twists and turns to this journey. To take just one example, the growth of mobile point-of-sale deployments raises a number of new security concerns, notably the expansion of the Cardholder Data Environment (CDE) to include the wireless in-store networks supporting these devices. The move to mobile has meant that retail executives responsible for security have had to quickly educate themselves in mobile device management to secure not only mobile applications and data but the physical devices themselves. However, security considerations often get pushed to the bottom of retailers’ priority lists, particularly when a new technology opens up exciting possibilities in this increasingly fast-paced industry. “Mobile commerce makes security more challenging, but there’s just no stopping it, because offering someone the ability to buy anywhere and at any time is fantastic,” says Wade Baker, director of risk intelligence, Verizon, an author of the company’s annual Payment Card Industry Compliance Report. “But mobile commerce security will be an after-the-fact consideration, just as it’s been for other new technologies.” Yet as a few retailers have discovered to their embarrassment, the consequences of a data breach can be devastating, affecting not just the bottom line but a more precious, less tangible commodity: the customer’s confidence in the retailer. Stolen credit cards can be cancelled, but broken trust can be much more difficult to fix. That means data security must move up on the priority list for both well-established and emerging technologies.
Milepost 1:
Use Compliance-Enabling Payment Technologies The Payment Card Industry Data Security Standard (PCI DSS), managed by the PCI Security Standards Council, has established the parameters of the CDE as the people, processes and technology that store, process or transmit cardholder data or sensitive authentication data. While retailers are essentially responsible for data security throughout their enterprises, they can make use of technologies that move some transaction elements outside the scope of the PCI DSS. These types of complianceenabling technologies can make it both cheaper and easier to maintain compliance, according to Chase Paymentech, which identified two key technologies in an October 2011 article: • Masking: The use of replacement data to obscure or replace the Primary Account Number (PAN). The PCI DSS allows retailers to display the first six and last four characters of a customer’s credit card number. With the masking functionality, the middle six numbers are substituted with a string of replacement characters that can be either random or fixed. Primarily a display technology, the underlying data is still stored but is unable to be seen.
RIS Roadmap October 2011 2.indd 2
PCI Roadmap: Seven Steps to Tighter Data Security 2
10/28/11 9:17 AM
RIS ROADMAP SERIES PCI Roadmap: Seven Steps to Tighter Data Security
RIS ROADMAP SERIES
This reduces the scope of PCI exposure by eliminating the display of the full PAN. The unmasked data may still be displayed to other users with a business need to know, and the stored data is still subject to the PCI DSS requirements.
• Virtual Terminal: With this technology, cardholder data is captured and stored at a thirdparty location via an authenticated Web page with an SSL-encrypted communication link. The virtual terminal is a good fit for card-not-present and e-commerce environments, making it ideal for call centers and for customer self-service. It also has the built-in functionality to integrate successfully with POS terminals and/or magnetic stripe readers to support cardpresent payment options.
Seven Mileposts to Improved Data Security
1
Use Compliance-Enabling Payment Technologies
Retailers can minimize their PCI DSS scope with technologies such as masking and virtual terminals
Mitigate Risks with Mobile Device Management
Mobility has grown so quickly that security often plays catch-up, so a comprehensive MDM strategy can identify and manage the biggest security issues
Minimize In-Store Mobile Payment Risks
New PCI guidelines for mobile payment hardware and applications identify which solutions can be assessed as compliant
4
Ensure Security of In-Store Wireless Networks
Use physical inspections in conjunction with wireless “sniffers” to discover rogue wireless network access points
5
Continuously Monitor Payment Acceptance Hardware
Simple steps such as comparing how a peripheral currently looks compared to an original picture can help identify if data skimming is taking place
6
Minimize PCI Scope around Tokenization
Recently issued PCI guidelines provide ways to limit the scope around tokenization, which replaces Primary Account Numbers with surrogate values
7
Look beyond Transaction Data in Setting an Overall Security Strategy
Customer data shared on social networks or locations revealed by consumer mobile devices are becoming valuable “currencies” that retailers will need to manage and protect
2 3
RIS Roadmap October 2011 2.indd 3
PCI Roadmap: Seven Steps to Tighter Data Security 3
10/28/11 9:17 AM
RIS ROADMAP SERIES
PCI Roadmap: Seven Steps to Tighter Data Security
Milepost 2:
Mitigate Risks with Mobile Device Management Mobility is becoming, or already has become, an important and challenging part of retailers’ security profile. The chief information security officer for a major wholesaler/retailer summed it up succinctly: “Mobile is here and it’s not going away, because it generates revenue and brings us closer to our customers.” The numbers back up the CISO’s statement: Insight Research estimates that 2.2 billion consumers will generate $124 billion in mobile financial transactions by 2014, and IHL Group projects shipments of tablet devices to retail will top 2.7 million annually by 2015. The CISO notes that the variety of mobile devices in use within retail enterprises – many of them personal devices belonging to employees – means there is currently no single solution available to lock down these devices or to prevent malware being downloaded onto them. Nor is the “explosion” of malware simply due to hackers or mischief-makers showing off; organized crime rings are ready to exploit vulnerable points within a network, most definitely including mobile devices. Retailers need a comprehensive mobile device management (MDM) strategy. Following are key risks identified by the CISO, along with potential solutions: • Deciding what kind of technology is needed to manage devices and enforce corporate policies: Use a single security platform to manage all mobile devices (tablets, smartphones, laptops, PDAs, etc.). • Threats from the hacking community: Solutions include data encryption; event and activity monitoring and logging; and the use of data control, meaning if a user does not log into the network within a certain amount of time, the device will delete its own data or block access to corporate e-mail. • Combining personal and work use in one device: Leverage operating system features, particularly in the Apple iOS, to easily segregate corporate and personal settings, e-mail and applications. • Lost or stolen devices: Gain the ability to remotely disable lost or stolen devices with software that can perform a remote lock and data wipe. Another option is data fading: devices not connected to the network will automatically lose their data after a set period of time. • Insider abuse, malicious software downloads and malware from websites: Use remote mobile application configuring to control application deployments, software updates and patches and security updates. The ability to remotely adjust device settings and restrictions “over the air” ensures enforcement of established corporate policies.
Milepost 3:
Minimize In-Store Mobile Payment Risks The growing popularity of mobile POS deployments has prompted the PCI Council to expand its guidelines for encryption of card-reading devices, such as the Square magnetic stripe reader that clips to a mobile phone or tablet. Prior to the release of the PIN Transaction Security (PTS) 3.1 guidelines in October 2011, this program could only be applied to devices that accepted a Continued on Page 6
RIS Roadmap October 2011 2.indd 4
PCI Roadmap: Seven Steps to Tighter Data Security 4
10/28/11 9:17 AM
RIS ROADMAP SERIES RIS ROADMAP SERIES
INDUSTRY INSIGHT
PCI Roadmap: Seven Steps to Tighter Data Security
Mobility, Omni-Channel Shopping Raise New Security Risks Charisse Castagnoli, Director of Marketing, Dell SecureWorks Q: A growing number of retailers are deploying mobile POS devices in their stores. Does the use of these devices create new data security challenges? CHARISSE CASTAGNOLI: Mobile devices do create some challenges from a security and risk perspective. The good news is that there is at least one POS-certified application for the iPad today, and we should expect many more. In addition, if we’re talking about all-in-one devices that are purpose-built to perform transactions, these can be more easily locked down and certified, so they probably introduce minimal risk. The challenge comes from the inherent way that consumer-style tablet and smartphone operating systems are constructed, because they lack the controls and audit capabilities of traditional computing devices. Furthermore, a mobile device is much more likely to be lost or misplaced than a traditional register, so retailers should consider augmenting the device’s security capabilities with better management and control capabilities such as mobile device management.
pliers and partners. Whether this is shipping information, inventory levels, customer information or other data, omni-channel activity can expose the retailer’s intellectual property to further risk of targeted espionage or accidental disclosure. Using best practices for data protection when sharing is involved, including contractual controls and the auditing/reporting of your partners’ and suppliers’ data protection policies, would be advisable.
“Enabling the omni-channel experience means consumers’ Personally Identifiable Information (PII) becomes more distributed and shared among partners, increasing the risk of a data breach.”
Q: How are retailers’ data security profiles being affected by the move to an omni-channel environment, with customers accessing multiple touchpoints during their shopping journeys? CASTAGNOLI: Fortunately, omni-channel marketing capabilities are largely outside the PCI scope, but we do need to consider issues around data privacy for the consumer. As omni-channel implies, the retailer’s interaction with the consumer may become more intimate, meaning they are retaining more interests and data submitted by the consumer, and aggregating and sharing those interests to and from multiple trading partners. The more traditional means of tracking the user experience, such as cookies, don’t work well on mobile devices, and they are being restricted both by technology and data privacy laws. In short, enabling the omni-channel experience means consumers’ Personally Identifiable Information (PII) becomes more distributed and shared among partners, increasing the risk of a data breach. Data privacy and breach notification laws vary not only country by country, but state by state in the U.S. Retailers should ensure compliance with data privacy laws in their agreements with suppliers and partners. Another issue raised by omni-channel is retailers’ own intellectual property, which by necessity must be shared or exposed with sup-
Charisse Castagnoli, Director of Marketing, Dell SecureWorks
Q: What are the most important takeaways for retailers from the recently released PCI DSS guidelines on wireless? CASTAGNOLI: This is another challenging area for retailers, because new mobile devices are designed for ease of use and ubiquitous connectivity – including roaming between cellular and WiFi networks. With respect to the PCI wireless guidelines, the most important step a retailer can take is to clearly define which WiFi networks are in and out of scope. Given that one of the key benefits of using a smartphone or tablet in a retail environment is likely to include accessing the Internet, this means an entire wireless network should be set up just for the mobile devices. Because of these devices’ ability to automatically join ad hoc networks, not only must the Cardholder Data Environment (CDE) network be separated and properly configured, but so must the mobile devices. •
RIS Roadmap October 2011 2.indd 5
PCI Roadmap: Seven Steps to Tighter Data Security 5
10/28/11 9:17 AM
RIS ROADMAP SERIES
PCI Roadmap: Seven Steps to Tighter Data Security
Continued from Page 4
Personal Identification Number (PIN). Now, any card acceptance device can be tested, approved and eligible to deploy point-to-point encryption technology. The new guidelines provide device manufacturers with a consistent set of data security and encryption standards, according to Bob Russo, general manager of the PCI SSC. “There are already hundreds of devices to enable remote mobile acceptance of credit cards,” he says. “Now that these requirements are defined, vendors can design and build their devices based on security criteria, and then Continued on Page 8
Top Threat Actions Based on Payment Card Breaches CATEGORY
THREAT ACTIONS
Malware
Send data to external site/entity
Malware
Backdoor (allows remote access/control)
Hacking
Exploitation of default or guessable credentials
Hacking
Exploitation of backdoor or command and control channel
Physical
Tampering
Malware
Keylogger/Spyware (capture data from user activity)
Hacking
Brute force and dictionary attacks
Malware
Disable or interfere with security controls
Hacking
Footprinting and Fingerprinting
Malware
RAM scraper (captures data from volatile memory)
Malware
System/network utilities
% OF BREACHES
44% 44% 43% 42% 36% 31% 30% 28% 28% 16% 16%
These threat actions are based on 2010 payment card breaches investigated by or shared with the Verizon Investigative Response (IR) team, and are based on the Verizon Enterprise Risk and Incident Sharing (VERIS) framework. VERIS is designed to provide a common language for describing security incidents in a structured, repeatable manner. The percentages add up to more than 100% because most breaches involve more than one action in an event chain. Source: Verizon 2011 Payment Card Industry Compliance Report
RIS Roadmap October 2011 2.indd 6
PCI Roadmap: Seven Steps to Tighter Data Security 6
10/28/11 9:17 AM
RIS ROADMAP SERIES INDUSTRY PCI Roadmap: Seven Steps to Tighter Data Security RIS ROADMAP SERIES INSIGHT
Wireless Mobility Boosts Need for Real-Time Intrusion Detection Aditya Chatterjee, CTO, Spacenet
Q: What are some of the security impacts of the transition to an omni-channel retailing model? ADITYA CHATTERJEE: One broad impact is that retailers move from having a set of customers in a given geographic area to serving customers across the state, the country and the world. The moment you go omni-channel, you go worldwide. What that means is that these retailers now have the requirement to save data on, and provide secure transactions for, a number of customers that are an order of magnitude greater than they were previously serving.
has hacked into their encryption program. Spacenet offers secured mobile wireless technology for the store environment, and the retailer’s security officer can test it by going into any store with a laptop. When he starts ‘sniffing’ or trying to tap into the wireless network, it will provide a report almost immediately.
Q: Has the rise of mobile commerce increased data security risks? CHATTERJEE: If a retailer is offering a mobile-enabled website that consumers can access with their devices, there’s somewhat less of a security issue for the retailer – no more than there would be if a customer used her desktop or laptop to access a regular e-commerce website. But when a retailer offers an app that the consumer downloads onto his mobile device, the retailer becomes equally responsible with the customer for security. There’s a tremendous increase in the amount of critical information that the retailer has to be able to keep secure around these customers’ Primary Account Name (PAN) data. I believe this will increase the need for tokenization, so that even if someone is able to get access to a gigabyte of tokens, they won’t be able to hack this customer information.
that are in-scope and others that
“The moment you have some devices
are out-of-scope, the security technologies that are required become more complicated.” Aditya Chatterjee, CTO, Spacenet
Q: What are the key takeaways for retailers from the most recent PCI DSS guidelines? CHATTERJEE: The most important thing the retailer needs to understand is the difference between in-scope and out-of-scope devices. The moment you have some devices that are in-scope and others that are out-of-scope, the security technologies that are required become more complicated. The trade-off is that the more in-scope devices that a consumer can use, the more customers you attract. This in turn increases revenue, but it also increases the cost and complexity of security. The good news is that there are technologies around to handle this challenge; the bad news is that it is the retailer’s responsibility to manage them. This is where the retailer’s managed network services provider and the retailer’s internal IT group must work in partnership to build a very good policy infrastructure to manage all those devices, both in- and out-of-scope. •
Q: What about the increasing use of retailer-supplied mobile devices in stores? Are there hidden security risks there? CHATTERJEE: There are very well-defined rules provided by PCI to put these devices into your protected environment, along with well-established technologies. You need authenticated data storage, encryption when transmitting cardholder data, and you need to have firewalls to allow this data to get to your back-office systems. The bigger issue is whether the wireless network itself can be broken into. Retailers need data security technology that can report on an intrusion, and to be effective these reports need to be much more real-time. A retailer can’t wait three months to find out that someone
RIS Roadmap October 2011 2.indd 7
PCI Roadmap: Seven Steps to Tighter Data Security 7
10/28/11 9:17 AM
RIS ROADMAP SERIES
PCI Roadmap: Seven Steps to Tighter Data Security
Continued from page 6
submit the devices to the PCI Council to have them certified as PTS compliant. Merchants looking to buy these devices will be able to look up the vendors with compliant devices on the PCI website, www.pcisecuritystandards.org.” The site also includes information on which mobile payment acceptance applications are currently eligible to be PA DSS validated. In June 2011, the PCI Council announced that while it would be able to validate some categories of mobile payment applications, it would not be able to include those where the “Payment application operates on any consumer electronic handheld device (e.g. smart phone, tablet or PDA) that is not solely dedicated to payment acceptance for transaction processing.” This means retailers that have embraced Apple and other consumer-grade products for mobile POS deployments will need to take extra steps to ensure the security of the data that is exchanged between these devices and the retailer’s financial, store and back-office systems.
Milepost 4:
Ensure Security of In-Store Wireless Networks Leading retailers such as Macy’s and Nordstrom have already made major investments in WiFi networks in their brick-and-mortar stores, both to accommodate consumers’ use of mobile devices and their own mobile deployments. These networks are “an easy target for data compromise, especially as new devices are added to these environments,” according to the PCI Council’s Russo. In August 2011 the PCI SSC issued recommended methods for testing and detecting rogue wireless access points within the CDE as part of updated guidelines developed by the Council’s Wireless Special Interest Group. The guidelines recommend quarterly reviews of all wireless networks in addition to annual PCI assessments. Wireless analyzers, the “sniffers” that are capable of detecting rogue devices when a technician or auditor walks around a physical site, are one part of the review, but the PCI recommends combining these automated tools with physical and logical inspections. “Physical intervention remains the ultimate response to remove the rogue device,” according to the wireless guidelines supplement. “Physical or logical inspections of network access points and network devices, system components, and configurations may indicate whether unauthorized devices have been in any way attached, inserted or connected.” The specific parameters of these inspections will depend on each retailing environment. For example, a stand-alone retail kiosk with all communication components housed within tamper-resistant, tamper-evident casings will require only a physical inspection of the kiosk itself to ensure a rogue wireless access point has not been attached or installed. However, in more complex environments, retailers will need to combine physical inspections with the use of wireless analyzer technology. Following are six physical security recommendations for wireless access points from the most recent PCI DSS Wireless Guidelines: • Mount access points (APs) on (or in) ceilings and walls that do not allow easy physical access, or locate in secure areas, such as locked closets or server rooms. • Use APs with tamper-proof chassis and mounting options that prevent physical access to ports and reset features. Continued on Page 10
RIS Roadmap October 2011 2.indd 8
PCI Roadmap: Seven Steps to Tighter Data Security 8
10/28/11 9:17 AM
RIS ROADMAP SERIES INDUSTRY PCI Roadmap: Seven Steps to Tighter Data Security RIS ROADMAP SERIES INSIGHT
Data Security Tools Must Adapt as Payment Tech Goes Contactless Bill Weingart, Chief Product Officer, Vantiv
Q: How does retail’s move to an omni-channel model add to retailers’ data security challenges? BILL WEINGART: As retailers evolve their shopping experience to incorporate new methods of marketing and delivering their products, they must also evolve and adapt their data security plan to help protect these new methods – that’s basic common sense. The real challenge will be to evolve the strength and scope of the security plan without losing the critical elements needed to fuel these new shopping channels and protect the overall customer relationship. Customers using self-service, personal kiosks and mobile devices will expect their data be as protected as it is in a brick-and-mortar environment. To do this, the retailer’s use of strong cryptographic techniques and secure key management practices are essential to the fundamental health and security of the payment data they are charged with protecting.
velocity and other physical and logical factors) prior to presenting the transaction to a payment processor for authorization.
“Although the risk associated with the use of NFC is less than that of traditional magnetic stripe cards, the card data can still be utilized in a limited fashion and is typically in the clear as it’s transmitted. This creates vulnerability and therefore a feasible and viable focus of attack, especially as NFC becomes more commonplace.”
Q: Some retailers are looking at alternatives to traditional payment methods, such as e-wallets and POS technologies using Near Field Communications (NFC). What data security measures will retailers need to address if they adopt these technologies? WEINGART: Although the risk associated with the use of NFC is less than that of traditional magnetic stripe cards, the card data can still be utilized in a limited fashion and is typically in the clear as it’s transmitted. This creates vulnerability and therefore a feasible and viable focus of attack, especially as NFC becomes more commonplace. To help mitigate this risk, protection of the sensitive card data as it routes through the retailer’s infrastructure is an important element of a retailer’s security strategy. The use of strong cryptographic techniques combined with payment devices that exhibit the qualities of a TRSM – tamper evident, tamper resistant and tamper responsive – are needed to help protect the cryptographic keys, which protect the data that is transmitted in the NFC transaction. This security trifecta should be the standard.
Bill Weingart, Chief Product Officer, Vantiv
Q: Does mobile commerce increase a retailer’s overall data security risk profile? WEINGART: Typically, a mobile application or website accessed via a mobile phone is one of many endpoints of a larger, possibly even enterprise-level, business application that already has to adhere to PCI DSS guidelines for payment data security. While extending a business application’s reach to mobile commerce platforms will marginally increase its risk exposure, the impact may be minimal if the integrity of the PCI DSS guidelines extends to these endpoints as well. Q: Do small and mid-sized retailers face tougher data security challenges than larger companies? WEINGART: For many small businesses, their security strategy is only as sound as the security education and product(s) they’re offered by their service providers. Luckily, in this environment, payment infrastructure is fairly easy and economical to update, and once a merchant has made their product decisions, the rest may be readily achievable. •
Q: A small but growing number of retailers are deploying mobile POS devices in their stores. What are the likely data security impacts from such deployments? WEINGART: For mobile POS solutions using a card reader attached to a mobile phone, the security approach is more like an e-commerce extension than a minimized traditional POS terminal. In these solutions there is heavy dependence on finely tuned risk engines to validate the integrity and validity of a transaction (time, location,
RIS Roadmap October 2011 2.indd 9
PCI Roadmap: Seven Steps to Tighter Data Security 9
10/28/11 9:17 AM
RIS ROADMAP SERIES
PCI Roadmap: Seven Steps to Tighter Data Security
Continued from Page 8
• Review signal settings and physical placement of APs to provide maximum coverage for the desired service area while minimizing broadcast range outside of the environment. • Secure handheld devices with strong passwords and always encrypt pre-shared keys if cached locally. • Enable automatic lockouts on handheld devices after a defined idle period, and configure devices to require a password when powering on. • Use a wireless monitoring system that can track and locate all wireless devices and report if one or more devices are missing.
Milepost 5:
Continuously Monitor Payment Acceptance Hardware The advent of new technologies doesn’t mean retailers can (or should) ignore security issues with traditional payment technologies. New York City police recently broke up a crime ring that had “skimmed” credit card data from both physical readers and online transactions, netting them more than $13 million. Another criminal group used high-tech 3-D printing/imaging technology to create convincing-looking false readers for ATMs, allowing the thieves to lift card data. In addition to overall enterprise-focused data security strategies, there are some simple steps retailers can take to improve security. “As soon as you get a new PIN-reading device from the manufacturer, take a picture of it and put it in a secure file,” says Russo. “Each month, compare the original picture to what the device actually looks like. Has someone put a new ‘face’ on it? Are there more wires attached to it than there were previously? Have the wires gone from straight to curly?” Any of these changes could indicate that the device has been altered, possibly to allow for data skimming. Another technique is to run one’s finger over the security label on the device: “If it feels like it’s been raised and then replaced, someone may have put something into the device,” he adds.
Milepost 6:
Minimize PCI Scope around Tokenization Tokenization, which replaces a Primary Account Number (PAN) with a surrogate value called a “token,” has become a key element of retail data security. PCI released new tokenization guidelines in August 2011 that outline explicit scoping elements for tokenization and provide recommendations on scope reduction, as well as detailing best practices for selecting a tokenization solution. In general, the key for reducing the PCI DSS scope is to not store, process, or transmit cardholder data beyond what’s required for business, legal or regulatory purposes. Other scoping reduction recommendations include: • Replace PAN storage with tokens whenever possible • Limit existence of PAN to the point of capture and the card data vault • Minimize the number of system components that store, process, or transmit PAN prior to the PAN being tokenized
RIS Roadmap October 2011 2.indd 10
PCI Roadmap: Seven Steps to Tighter Data Security 10
10/28/11 9:17 AM
RIS ROADMAP SERIES
PCI Roadmap: Seven Steps to Tighter Data Security
• Ensure that PAN is not present in the same environment as the tokens, outside of the card data vault • Ensure all PAN and other cardholder data is removed from source systems once it has been tokenized. • Choose a solution that ensures PAN is not retrievable once a token has been issued • Enforce separation of duties such that token users and administrators do not have access to PAN at the point of capture or elsewhere. • Combine an effective, secure tokenization solution with point-to-point encryption (P2PE) such that the only PANs in the environment are contained within a secure, PTS-approved point-of-interaction device.
Milepost 7:
Look Beyond Transaction Data in Setting an Overall Security Strategy Payment and cardholder data is, quite naturally, the overriding focus of retailer’s data security efforts, since losing or misusing it carries the biggest risks. But the rise of omni-channel is changing retailers’ relationships with their customers in ways that are making other types of data valuable “currencies” in their own right. The long-term success of social media-based retailing will depend on retailers’ ability to understand, and sensitively use, the data that consumers share with their various social networks. Customers who feel that retailers are trying to use their data to take advantage of them (as opposed to offering them items or services that more accurately fit their needs) will not remain as customers of such a retailer for long. To an even greater extent, location-based programs, for example sending marketing messages based on a customer’s location near a store or in its aisles, will need to tread lightly on a customer’s personal space. Even members of a Millennial generation accustomed to sharing where they are and what they’re doing on a consistent basis will want to exert control over how that information is used by retailers or other enterprises. This non-transaction data, particularly any Personally Identifiable Information (PII) about a customer, also needs to be protected from the moment it enters the retail enterprise. That enterprise extends beyond the four walls of physical stores and even beyond the retailer’s e-commerce website, to any and all mobile devices that access mobile-enabled sites or download retailer-branded apps. Retailers themselves are sharing more of their own data with other entities, in addition to their traditional supply chain trading partners, as part of the shift to an omni-channel model. The need to reach consumers where they are and through the devices they choose is mandating greater cooperation and coordination with social networks, search engines and daily deal sites. All these trends require retailers to take a global view of data security, making it an integral part of their overall strategy for data management. Of course, retailers will need to prioritize their security efforts in order to mitigate the biggest risks. But these efforts will be more effective with a corporate mind-set recognizing that in today’s world, all kinds of data have value and thus require their own levels of management and protection.
RIS Roadmap October 2011 2.indd 11
PCI Roadmap: Seven Steps to Tighter Data Security 11
10/28/11 9:17 AM
RIS ROADMAP SERIES
PCI Roadmap: Seven Steps to Tighter Data Security
About Dell
Dell Inc. (NASDAQ: DELL) listens to customers and delivers worldwide innovative technology and business solutions they trust and value. From the storefront to the back office, Dell Retail Solutions works with retailers to design, implement, and support comprehensive solutions that ease business pain points and draw greater value from technology, including security services, POS solutions, systems management, digital signage, mobility solutions, digital surveillance and analytics, storage and virtualization, disaster recovery, secure wireless, Boomi data and application integration and technical support services. Recognized as an industry leader by top analysts, Dell SecureWorks provides world-class information security services to help organizations of all sizes protect their IT assets, comply with regulations and reduce security costs. Dell SecureWorks offers managed security services, security and risk consulting and threat intelligence, and has extensive experience in helping organizations with PCI compliance. For more information go to http://www.dell.com/business/retail.
About Spacenet
Spacenet, Inc. is your strategic partner to deliver converged voice and data, secure private networks, and comprehensive managed network services. We facilitate your critical initiatives and lower costs while assuring network security and compliance. We have enhanced our customer’s success for more than 30 years through a proven combination of unique technology and comprehensive life cycle management. Our services help multisite enterprises manage their networks more effectively so they can focus on fulfilling critical business priorities. With our unique blend of technology leadership, solution innovation, and customer intimacy, Spacenet clients benefit from high reliability and performance, ease of installation, and nationwide availability. For more information, visit us at www.spacenet.com/enterprise.
About Vantiv
We’re Vantiv. We’ve been driving innovative payment processing solutions for four decades. We do it through our people. Accomplished professionals, thought leaders, experienced strategists who understand your needs and adapt to change. We do it through technology. Innovative credit, debit, and gift card programs, check services and data security solutions to help make payment processing more profitable. And we do it through partnerships. Working with you to develop programs that build revenues, while making it easy for your customers to make payments. Let’s talk about solutions that can help enable success for you and your customers. Visit us at www.vantiv.com.
RIS Roadmap October 2011 2.indd 12
10/28/11 9:17 AM