Retail Locations Have Unique Challenges With PCI DSS Compliance

I’ve been intrigued lately with PCI DSS compliance. It has all retailers on edge, has multiple vendors drooling, and has spawned new laws and bills, such as in Minnesota and Texas. I’ve had interesting discussions about it with those who process credit card payments, and I’ve been doing some research into the various issues.

So what are organizations actually doing about PCI DSS?
I like to read about how real organizations have dealt with meeting data protection compliance requirements. There is MUCH hypothetical discussion out there, and about 100 times as much opinion. But knowing how organizations have actually dealt with compliance is often so much more valuable. Learning from the bumps and bruises of others, if you will. Such discussions are what make conferences and seminars that include such discussions so well-attended.
So I was interested to read a story recently about the experiences of one organization, Harrods, with implementing a new system throughout their enterprise.
It mentioned towards the end about how Harrods was trying to meet PCI DSS compliance. So my hopes were high that this would be a good case study for PCI DSS compliance.
Harrods just implemented a new point of sale (POS) system for many reasons, among which was to make a more service-oriented IT architecture. However, tracking customer preferences raises flags with regard to not only security and privacy, but also with how to make such a marketing-focused system, that will be heavily utilizing customer relationship management (CRM), also compliant with PCI DSS.
The article includes the high-level technical details of their changes.
The Harrods representative was quoted in the article:

“”We have also looked into identifying customers when they enter the store, and that holds some very interesting possibilities,” he said. “However, we are reluctant to do that until we have sorted out the privacy issues.””

Well, it’s good they are reluctant. Identifying customers when entering the store? This goes beyond the typical closed circuit television (CCTV) surveillance system; the privacy issues are significant. Particularly in Europe where Harrods has such a strong presence.

“System availability and data security are top priorities for Llamas [Harrods’ representative]. Under RBS-Instore the tills operate independently of a central server, but the organisation has much greater insight into what is happening at the till because of constant message passing to and from the ERP system.
Llamas said Harrods has been lucky with its timing. “We were already moving to systems that allow us, for example, to encrypt much of the data, such as credit card numbers.” As a result Harrods is one of the few retailers that are now compliant with PCI:DSS, the credit firms’ new data security standards, he said.
Harrods looks for fourfold Web trade growth with .net.”

That is great that they are in compiance with PCI DSS…wonder if that was validated by an independent auditor?
Something that has been a great challenge with retailers is how they currently use wireless transmissions of POS transactions to a central server. This data needs to be encrypted to avoid the rash of incidents that have occurred in recent years at retail stores where the sales data was accessed by folks sitting in the parking lot with their own wireless connections into the unsecured retail systems.
Well, I guess this didn’t turn out to be such a great PCI DSS implementation case study after all, did it, considering the lack of detail about how they addressed the comliance issues. So back the to theories and opinions.
However, some of the statements in the article did generate some questions for me regarding Harrods’ PCI DSS compliance actions.
* Is data sent via wireless transmissions? If so, what security is in place?
* What specific data items were chosen to be encrypted beyond the credit card numbers? Cardholder Data (Primary Account Number (PAN), Cardholder Name, Service Code, Expiration Date) must be protected, with encryption, according to PCI DSS; and Sensitive Authentication Data (Full Magnetic Stripe, CVC2/CVV2/CID, PIN/PIN Block) must not be stored, but should still be encrypted, during transmission according to PCI DSS.
* What controls are they using to ensure cardholder data and sensitive authentication data is not included within emails? Emails are a huge source of security incidents and privacy breaches.
* What controls are in place in the Harrods stores and restaurants to limit access to the systems, cardholder data and sensitive authentication data to only authorized individuals with a need to know? Retail stores are notoriously vulnerable at their cash registers and trash where such information is commonly thrown away.
* How are they preventing the personnel in these locations from sharing their login sessions so that accountability is maintained? PCI DSS requires each system user to have a unique ID that they do not share, but retail stores have so much going on sometimes, and such limited numbers of POS terminals, that it is common to see multiple clerks using the same register without logging in and out between customers/transactions.
* How will the registers/screens be positioned to comply with the PCI DSS requirement to keep others from viewing the information? This is another challenge in stores, restaurants and airports where oftentimes sales kiosks are located in the middle of the merchandise with customers able to get close 360 degrees around the cashier.
Of course there are many more requirements within PCI DSS, but these are the ones that leap to mind first with regard to retail locations. Just the physical aspects inherent in retail stores provide unique challenges that other non-physical-retail businesses confined within tightly controlled and secured buildings, allowing no customer or public access entry, do not have to struggle with as much.

Tags: , , , , , , , , , ,

Leave a Reply