March 30, 2007, 12:00 AM

Locked in

(Page 2 of 2)

A recent Gartner study found that the cost of security breaches can outweigh the cost of becoming compliant with security standards. When factoring in legal fees, fines, data recovery efforts, and losses in sales and market value, Gartner figures the costs of a major data security breach can run as high as $90 per customer record.

That equals more than five times the cost of implementing a comprehensive security system including data encryption, network intrusion-prevention, and regular system audits, which Gartner figures at $16 per customer record.

The PCI Security Standards Council, an organization founded by Visa, MasterCard International, Discover Financial Services, JCB International Credit Card Co. and American Express Co., provides a list of security assessment providers at

Keeping customers
Pressure is now coming not just from the credit card companies who are attempting to enforce the standards, but also from consumer awareness of the vulnerability of data. In a recent survey of 2,000 consumers by the Chief Marketing Officers Council, 40% of respondents said they had aborted a planned purchase either online or in a store because of concerns about the security of their personal data. In the same survey, 50% of respondents indicated they would avoid buying from a company whose customer databases had been hacked.

If consumer attitudes and the fear of public shame aren’t enough to sway technology plans, the credit card companies have implemented a new schedule of fines for security breaches. Visa U.S.A., for example, will fine merchant acquirers from $5,000 to $25,000 a month for each Level 1 or Level 2 (1-6 million transactions per year) merchant that is not compliant with the PCI standards by Sept. 30 for Level 1 merchants and Dec. 31 for Level 2. In addition, acquirers face monthly fines of up to $10,000 if they failed to confirm by March 31 that their Level 1 and 2 merchants were not storing full-track magnetic stripe data.

As part of the new program-the PCI Compliance Acceleration Program-merchants will not qualify for lower interchange rates for card transactions if they fail to comply with the standard.

Visa also will offer $20 million in incentives to merchant acquirers if their retailers comply by Aug. 31 and have not been involved in a data compromise. The goal is to promote faster compliance, says Eduardo Perez, Visa U.S.A.’s vice president of payment risk.

Meanwhile, government may be stepping in. State Rep. Michael Costello has submitted a bill to the Massachusetts legislature that would require merchants responsible for data breaches to pay for the replacement of plastic cards tied to stolen or compromised accounts. “If retailers know they’ll be held liable, they’ll be more likely to secure customer data,” says Adam Martignetti, Costello’s chief of staff. The first legislation of its kind, the bill has been generating interest from other states and from federal legislators, he adds.

Just the beginning
While compliance with payment card security standards is a good beginning toward preventing stolen or otherwise compromised customer data, it can be most effective when backed by continued security maintenance and improvements. As got audited for compliance, for example, it realized it needed to modify its web server so it would not reveal to a hacker which version of Microsoft Corp.’s Internet Information Server software it used, preventing a hacker from learning how to break into data files. “That’s something we probably wouldn’t have done otherwise,” Bonin says.

But hasn’t stopped looking for security holes, in effect going beyond the basic PCI requirements, he adds.

One of the more troublesome forms of attacks, experts say, is an SQL Injection, through which criminals insert extra characters and words at the end of web page identifiers in an effort to bypass a retailer’s network access rules to grab sensitive information like customer account data from back-end databases. Making this threat even worse is that retailers often don’t know that their network is open to such attacks, experts say. discovered it was open to SQL Injections through a security check by ScanAlert Inc.’s HackerSafe site monitoring and security system, Bonin says. So when the retailer rebuilt its web site on Microsoft Corp.’s .Net 2.0 technology platform during the first months of this year, it redesigned its web access system to block SQL Injections.

Using tools within .Net 2.0, the retailer’s two-person I.T. staff configured a system to route page requests through a software module that instantly recognizes whether a page identifier has extra characters that might be used in an attempt to pull information from protected databases. “Retailers shouldn’t have to worry about data intrusions if their site is set up properly,” Bonin says.


Click Here for the Internet Retailer Guide to E-Payment Security Products & Services

comments powered by Disqus




From The IR Blog


Cynthia Price / E-Commerce

4 tips for improving email marketing results

Every piece of data you collect can help you serve your audience exactly what they ...


Bart Mroz / E-Commerce

How smaller retailers can utilize data as effectively as Amazon

Smaller companies have more constraints, but once they set priorities can still benefit greatly from ...

Research Guides