New Security Breach Highlights Need for Innovative Strategies in Post-PCI Era

An additional 56,000 American consumers have been affected by yet another security breach - this time at Advance Auto Parts, a specialty chain with 3,261 stores. News surfaced last week that a computer hacker tapped into financial information at 14 Advance Auto stores in Virginia and seven other states.

Shelly Whitaker, Advance Auto Parts spokesperson, said the company discovered several weeks ago that customer data had been breached. The company is sending letters to the credit card customers who have shopped at the Roanoke company from December 2001 to December 2004.

The affected stores are in Georgia, Ohio, Tennessee, Virginia, Louisiana, New York, Indiana and Mississippi. Whitaker said law enforcement officials are investigating and Advance Auto Parts is working with a security expert.

Like many retailers who have experienced identity file theft, Advance Auto Part's security efforts took on a renewed sense of urgency after the breach, an action they no doubt wish had occurred sooner. "At the end of the day, the business belongs to the retailers and data security is in their hands," says Sahir Anand, senior retail analyst, Aberdeen Group. "It is the retailer's responsibility to ensure that all necessary internal processes are in place for establishing and maintaining safe and secure environment for shopping."

Payment Card Industry (PCI) compliance is a critical step for retailers of all sizes who need to bolster their security perimeter, but it is not the only step, nor is it the final step. "Every retail sub-segment including specialty, supermarket, department stores, and others face unique data segregation challenges," says Anand. "Internal audits and store-level compliance has to be looked at by the lost prevention (LP) teams of retailers very closely.  In the case of mid-size retailers where LP teams are non-existent, the owner and senior management need to take ownership and ensure regular checks and balances."

Many retailers believe the PCI compliance standards are unfair, poorly conceived and inadequate, an opinion recently expressed by Dave Hogan of the National Retail Federation (NRF) in an exclusive interview with RIS. However, Branden Williams, director of PCI practice for VeriSign Global Security Consulting disputed point for point many of Hogan€™s responses.

Hogan's view is that card associations should be promoting more secure forms of payment "like Chip & Pin (a technology used in Europe) that has significantly reduced credit card fraud, and they should also provide (at no cost to the merchant) card readers that can accept these new types of cards."

However, according to Williams this method, "slows down the bad guys, but does not stop them. Besides, there is an issue with Chip & Pin in the United States - acceptance! What good is a reader if no one carries the card to use them? I seriously doubt that the card associations would pay for the terminals. Even if they did, retailers will likely have to do major alterations to their software to be able to handle both types of transactions in parallel. How about we just spend a little bit of time securing the data in flight?"

Hogan also told RIS that merchants should not be required to keep reams of data and that banks should provide merchants with the option of keeping nothing more than the authorization code provided at time of sale and a truncated receipt. He said, "I would like them to go on record and state that 'Retailers have the option to no longer store credit card data and they will not be penalized for not keeping credit card data.'"

Williams again differs on this point: "PCI is a polarizing issue for sure, but most reasonable people will agree that it does provide a decent baseline, and that it should not be the limit of your security program. Fear, uncertainty and doubt like this only serves to further confuse major players in the market, and pollute the underlying message of PCI. Protect the data! Smart retailers have expanded upon their PCI efforts and invested in securing the business. Securing the business will allow for secure growth."

For more on William's response to Hogan's exclusive interview with RIS, click here.
 
-Christina Zarrello