• United States



by Paul L. Kerstein

Why Are Retail Merchants Not Securing Networks?

Aug 02, 20053 mins
CSO and CISOData and Information Security

Last month, it was reported that four major retailers in downtown Miami lost the cardholder information of tens of thousands of customers to outlaws armed with laptops and wireless network cards. In gangster style drive-bys, hackers are roving commercial neighborhoods and snatching data from insecure wireless networks that can extend more than 200 feet at retail stores. Businesses are also reporting data lost to internal hacking and careless employees. According to Bryan Sartin, a lead investigator for the security service Cybertrust, roughly 95 percent of data breaches involve e-commerce merchants and retailers. Why is it so easy for the crooks to have their way?

To start, there is little regulatory backbone. There are no federal rules that require merchants to safeguard their data, and only recently has Congress presented a bill that would require merchants who lose data to inform those whose accounts were breached. California was the first state to have its own statute on data breach notification and 26 more are considering proposals this year.

The muscle comes, theoretically, from the major credit card agencies which require third-party processors, such as CardSystems Solutions to adhere to their data security standards. But credit card agencies such as Visa and MasterCard have been lax about enforcing their own security standards. The New York Times reports that only 400 of the countrys largest retailers and just over 10,000 midsize merchants with an Internet presence are required by credit card agencies to comply with their standards. Anyone else doing business which works out to more than 99 percent of retailers is merely encouraged to be compliant. It took the embarrassment of an impending congressional hearing for Visa and American Express to cut CardSystems Solutions loose for not complying with their transaction security standards.

There are some obvious reasons for the widespread failure of businesses to secure their networks. Small and midsize merchants often lack technology expertise and management attention. Payment card industry standards are so complicated that the average shopkeeper cannot understand them. Even banks that are responsible for monitoring merchant protection policies are often inattentive or unaware of the rules themselves. According to Robert McCullen, chief executive of AmbironTrustwave, the payment industrys largest data security auditor, most transaction terminals are installed by software and service providers with no incentive to advise merchants how to protect networks, so they are dangerously uninformed.

With no federal and industry regulation, and lacking technical knowledge, merchants dont conform to the industrys most basic security requirements, such as encrypting data and avoiding commonly used passwords. Furthermore, many do not conduct regular network vulnerability tests which cost as little as a few hundred dollars. Jessica Rich, the Federal Trade Commissions director of financial practices, recently told The New York Times that it all boils down to sloppy practices.

Now, in the wake of several well-publicized security breaches, major credit card agencies are acting. MasterCard claims that it has tripled its staff to improve awareness and has published merchant security requirements. Visa is forming a partnership with the U.S. Chamber of Commerce to sponsor educational seminars on data theft for business. But is it their responsibility to baby-sit merchants? Why are retailers not on top of this? Does the government need to step in? Tell us what you think.