Despite rapid adoption of new security technologies and increasing compliance with PCI Data Security Standards, large retailers continue to fall victim to attacks and theft, both online and offline. IBM Corp. (NYSE: IBM) today is launching a new package of integrated products and services it says could help to fill in the holes.
As retailers prepare for the holiday shopping season, many have expressed concern that -- even after implementation of PCI and the breakup of several retail data theft rings -- they are still being stung by hackers and thieves. Hannaford, the grocery store chain that fell victim to the theft of 4.2 million credit card records earlier this year, had passed a PCI compliance audit. (See Hannaford, Security Industry Hunt for Cause of Massive Breach.)
And despite the breakup of a major retail theft ring that included the TJX attackers, restaurants and retail chains continued to be hit this summer. (See Attacks Continue on Retail Stores, Restaurants.) According to the 2008 National Retail Federation Organized Retail Crime Survey, 85 percent of the retailers surveyed said they had been a victim of organized retail crime in the last 12 months. This represents as much as $30 billion in retail losses each year, according to the FBI.
"What retailers are finding is that PCI compliance doesn't equal security, and security doesn't always equal PCI compliance," says Peter Evans, vice president of marketing for IBM's ISS security unit. "A lot of retailers are finding that what they've done so far still isn't enough."
The problem, Evans says, is that most retailers historically have taken a "reactive" approach to security, buying new boxes and software for each store as new threats have emerged. "So now about half of the retailer's annual security spend is on labor to manage all those devices and products," he says. "But a lot of this effort is focused on handling attacks after they happen, rather than preventing them."
To offer an alternative approach, IBM is pulling together products and services from its many business units -- including IBM Global Services, ISS, Tivoli, and Watchfire -- into a single offering called SecureStore. IBM describes SecureStore as a "comprehensive framework for protecting against online and physical risks that can help retailers reduce losses from theft, prevent brand and financial damage from data breaches, and reduce the cost and complexity of complying with PCI and other regulations."
Under SecureStore, IBM will provide an audit of a retailer's physical and logical security, Evans says. "It's almost like a PCI assessment, but much broader," he explains. From that assessment, the company will provide recommendations on how to build integrated store defenses, which may involve revamping or replacing redundant and non-integrated security systems. The recommendations won't always be to use IBM systems, Evans says.
From there, the retailer can choose to implement some or all of the SecureStore components, which include PCI compliance tools, network security, asset security and management, and transaction security tools, IBM says. SecureStore covers 10 of the 12 major areas required for PCI compliance, and also includes products and services not required by PCI, Evans says.
Retailers can also choose to simply outsource their security to IBM, Evans says. "Some retailers may decide that this isn't how they want to spend their resources," he notes. "We believe we can save the retailer a significant amount of money over time by doing it for them."
IBM has tried out the new package on a few early users, including La Senza, the Montreal-based fashion retailer. "Retail is about [a] high volume of people, products, and transactions going through stores and systems, says Daniel Marcotte, director of systems and data security at La Senza. "We have to control access to the data search business model generates and prevent its theft. The SecureStore framework provides everything La Senza needs to assess our current security and compliance posture, and take remedial action before the holiday rush begins."Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.