Retailers feel security heat

Following several high-profile incidents of data theft, retailers are under increased pressure to clean up their act.

Alorie Gilbert
Alorie Gilbert Staff Writer, CNET News.com

Alorie Gilbert
writes about software, spy chips and the high-tech workplace.

4 min read
Following several high-profile incidents of data theft, retailers are under increased pressure to clean up their computer security act.

Leading the effort are MasterCard International and Visa USA, which are giving major retailers until June 30 to comply with a new set of computer security standards aimed at protecting consumer data. Retailers that don't comply with the Payment Card Industry, or PCI, data security standard may face penalties, including fines.

Credit card companies have been urging retailers to tighten data security for some time, but recent reports of credit card information theft at Polo Ralph Lauren and shoe retailer DSW have heightened the stakes for merchants both online and off.


What's new:
Retailers are facing increasing pressure to tighten the security of their consumer records.

Bottom line:
MasterCard and Visa are giving major retailers until June 30 to comply with a new set of computer security standards aimed at protecting consumer data.

More stories on data theft

"The interesting thing about all of this is that the online environment and the physical-world environment are colliding," said John Verdeschi, vice president of e-business and emerging technology at MasterCard. "There is an interest now in securing all channels because in the electronic age, data is traversing networks in different ways."

In other words, Amazon.com and eBay aren't the only sort of merchants that need to worry about virtual intruders. Shops with storefronts at the mall and on Main Street are at increasing risk of computer attacks, too, as data thieves become more sophisticated and networks grow more complex. Retailers are contributing to the problem by collecting ever more massive stores of consumer data and sharing it with business partners.

The PCI security standard, which was developed by MasterCard and Visa, aims to reduce the risk of an attack by mandating the proper use of firewalls, message encryption, computer access controls and antivirus software. It also requires frequent security audits and network monitoring, and forbids the use of default passwords. The trickiest part will be getting all the parties in the payment processing chain, including retailers, banks and third-party transaction processors, to adopt the standards.

Companies processing more than 20,000 transactions per year will be required to scan their networks each quarter and conduct annual audits of their compliance with the standards in order to qualify for certification. The mandate applies to hundreds of thousands of retailers around the world, experts say.

Complying with the standard is no easy feat, according to computer security companies that are working with retailers on the effort. Major companies with very large volumes of credit card transactions are budgeting as much as $10 million for the project, said Doug Howard, vice president of Counterpane Internet Security.

They are spending the majority of the money on adding staff to handle new security chores and on purchasing related gear and consulting services, he said. The new standard puts a greater burden on smaller retailers that don't have the scale to absorb the compliance costs, Howard said.

"They're just scared to death," Howard said. "They're looking at what the big guys are spending, and they realize they'll have to spend a lot, too."

The fines and the desire to remain in the credit card networks' good graces may prove a major incentive, though. MasterCard has been issuing security-related fines to merchants' banks for about a year, although the company declined to say how much it has collected. The banks can pass the fines on to merchants and third-party payment processors.

The desire to protect companies' reputations and to keep government regulators at bay are other powerful incentives for retailers, security experts say. As more data theft cases come to light under new consumer notification laws, lawmakers are calling for even more regulation.

"From the industry's perspective, it's always better to regulate yourself than have the government do it," Counterpane's Howard said.

Yet it's unclear whether the new standard would have prevented the recent breaches at Polo Ralph Lauren and DSW had it been in place.

"That's really a question for the Secret Service because they are investigating how the break-in occurred," a DSW representative said.

Information about more than 1.4 million credit card and 96,000 check transactions was stolen from 108 DSW shoe stores, according to parent company Retail Ventures. The Polo Ralph Lauren incident reportedly compromised the credit card data of as many as 180,000 people.

Polo said last week that it has fixed the problem, which was partly due to the improper storage of the three-digit "card verification value" by its checkout systems. The number is sometimes used to validate phone and online payments. The company is still investigating the incident.

A Polo representative declined to comment for this story.

Despite all the publicity over these cases, online fraud rates still outpace those in the brick-and-mortar retail world, according to VeriSign, which sells e-commerce security services. As many as 3 percent of all online transactions are fraudulent, said Trevor Healy, vice president of payment services at VeriSign.

"There is a level of complacency and acceptance online, despite the fraud," Healy said. "But that kind of attitude thankfully is disappearing."

Silicon.com's Will Sturgeon contributed to this report.