STORES Magazine - March 2009 - (Page 27)

ment a card is swiped so no outsiders can view unencrypted account data – even if they are somehow able to crack into the system at some point. Looking back, what was it about your systems that you think may have made them more vulnerable? A source tells me your systems were proprietary. Could that have been a comprising factor? We regret this incident and the concern and anxiety it has created, but now it’s time to move forward to make certain we’re doing everything reasonably possible to remain vigilant against cyber criminals. Heartland was PCI compliant. Was the company fined? Ultimately, who pays when something like this happens? No computer system is perfectly secure – even if it has been certified as being PCI compliant. That being said, we immediately took a number of steps to contain the breach and further enhance the security of our proprietary systems. Going forward, we’re continuing to examine our system from top to bottom to identify any other areas where we can improve. For example, we’re planning to implement a next-generation program designed to flag network anomalies in real time. Since Heartland was PCI compliant at its last certification (April 2008), do you believe that the PCI certification process is not effective enough? What more should be done? We have not been told by the card brands what their positions are regarding fines. Because no merchants were directly involved in this breach, they won’t be liable for any losses. Cardholders are not responsible for fraudulent activity that is … reported to their card issuers [in a timely manner]. Do you think the laws are strong enough to prohibit hackers from stealing data? When you consider the enormity of the global data exchange network and the amount of data transferred every day – as well as the potential value data can have if it gets in the wrong hands – the card brands do need to constantly be improving the global payment card system’s security, whether by adjusting the PCI certification process or otherwise. The most important thing that’s needed right now is more dialog and action among various players in the industry so if cyber criminals hack into our interconnected systems, they cannot make use of any encrypted data they might see. This is not a problem that any single retailer or payment processor can solve alone Right now, cyber crime carries different penalties among states and different countries around the world. In some countries, for example, using a computer to commit a crime isn’t a punishable offense – only the theft or frauds resulting from stolen data are prosecuted. Likewise, penalties vary widely from jurisdiction to jurisdiction. We’d like to see more uniformity among anti-cyber crime laws and penalties. We hope the growing interdependence on the movement of secure data around the world will spur cooperation among countries in this area. Since the breach, do you have a role in enforcing PCI compliance to your merchant/retailer clients? Have you had to impose any fines on retailers for non-compliance? Mag-stripe technology is now decades old and many say it needs to be overhauled. What needs to happen in the payment card industry to truly ensure cardholder data is secure? Mag-stripe technology can and should – unquestionably – be improved. Progress in this area is coming, but it has not come fast enough. Positive sales reports posted by TJX Cos. shortly after it was the victim of a breach suggest that the consumer has a short memory. Do you think your customers – retailers – will have short memories, too? The PCI Council – comprising the card brands – mandates that merchants be PCI compliant, as well as processors. Because the breach occurred at Heartland, the breach doesn’t affect our merchants from a compliance or fine perspective. As a result, our merchants won’t be subject to any fines by reason of the breach. We are continuing to actively educate retailers about PCI compliance and data security, in general. Having gone through this painful event, what advice would you offer to retailers and payment processors? Customers remember good companies that do the right thing even when bad things happen. And we hope our customers will remember that Heartland came forward within days of learning of this breach with all the information we had and is taking steps to try to prevent this from ever happening again. WWW.STORES.ORG We need to have frequent and frank discussions about how the industry and law enforcement can work together to keep increasingly sophisticated, organized criminals out of our systems. This is not a problem that any single retailer or payment processor can solve alone. What do you wish you had done differently? I wish I could have called all of our customers myself! StORES STORES / MARCH 2009 27 http://WWW.STORES.ORG

Table of Contents Feed for the Digital Edition of STORES Magazine - March 2009

STORES Magazine - March 2009 Contents Executive Editor's Page President's Page Movers and Spenders What Shoppers Think Take Your Laundry Online 10 Things You May Have Missed Numbers Worth Counting Full Price/Markdown Retail People Luxury for Less Q & A CONCEPT2WATCH Checkout Management Online Entrepreneurs Sustainability POS Online Strategy Online Scheduling SaaS Online Marketing Merchandise Security PCI Compliance LPinformation Supplier Directory Exception Reporting Industry Perspective Theft Research LOEB Retail Letter ARTS Update Point of View NRF News Retail Crossword Retail Industry Calendar End Cap

STORES Magazine - March 2009

For optimal viewing of this digital publication, please enable JavaScript and then refresh the page. If you would like to try to load the digital publication without using Flash Player detection, please click here.