The technology and business processes and compliance procedures linked to fighting multi-channel card fraud are evolving rapidly, and for multiple grocers maintaining compliance with payment card industry initiatives such as PCI DSS, Verified by Visa and Mastercard Secure Code while preventing fraudulent attacks can be a costly and complex challenge, but help is at hand.
A major exhibitor at the recent Retail Business Technology Expo, The Logic Group partners with supermarkets and other leading retailers across Europe to enhance the effectiveness, security and profitability of their customer interactions. The company specialises in the secure management of cardholder information and transactions through the delivery of trusted payment and loyalty solutions that enable increased revenue, improved profit and reduced operating costs and risk. A leading industry expert and frequent retail fraud conference speaker, Robin Adams, Director of Security, Risk and Compliance at The Logic Group, spoke to The Grocery Trader.
The Grocery Trader – First question, Robin: when was The Logic Group set up, and who by? Who owns it now?
Gareth Wokes set up The Logic Group in 1986, and is still actively involved in the company. The shares are privately held.
GT – Where are you based in the UK? Which other countries do you operate in? How big is The Logic Group as an organisation?
Our head office is in Fleet, Hants, and we have a second office in Madrid, Spain. Our focus is Europe, with the Spanish office handling the southern countries. We employ 200 people and handle three billion transactions per year. Some 35% of all UK payment transactions go through either a managed service or one of our products, either way, one of our solutions.
GT – What ‘deliverables’ do you provide to customers, in terms of secure management of cardholder information and transactions? Do you provide ‘plug in’ solutions or remotely hosted services?
We offer managed services for payments processing and customer loyalty management, and we have an all-new managed fraud service launching in July. Our consultancy services are also based around the areas of payments, loyalty, fraud and insight into customer behaviour. For payments we offer services ranging from plug-in services for small retailers, pre-accredited in agreement with the banks, to managed enterprise payment services for large retailers, which we handle at our secure data centres. We also offer payments software for major retailers to deploy in their own data centres, should they prefer that.
GT – Do you see customers through the compliance process?
Yes, we do: we handhold retail customers through compliance, from day 1 to full achievement of the required standard, be it PCI or accreditation with the banks for the different types of payments. We have one consistent aim throughout – to make sure our customers act securely and in the case of PCI DSS, they manage their data securely according to the standard.
GT – What is your professional background – banking, retail or technical? What does your day to day role cover?
My background is technical – I began as a mathematician, and then moved to IT, and have worked for some of the largest global payment schemes. At The Logic Group I get involved with clients and advise on fraud, PCI DSS, charge backs, remediation and accreditation. I am a Qualified Security Assessor (QSA), and like the rest of my team I have passed the exams set by the PCI Council and am relicensed every year to audit service providers and merchants and retailers for PCI and other compliance. I write blogs, whitepapers and get invited to speak at conferences on security issues.
GT – We hear a lot about PCI DSS from VISA and others. For the uninitiated, please can you explain what PCI DSS is, and why it’s important?
PCI DSS is a Payments Card Industry (PCI) initiative for the securing of cardholder data, brought in because of the amount of losses the merchants and card schemes were suffering. It was first introduced in 2004, and is now on version 2.0.
GT – What levels were UK card losses running at before PCI DSS? What are they like now?
Back in 2004, losses from fraud were running at over 14p in every £100 spent on cards – now they are below 8p in every £100. This is despite people spending a lot more using payment cards these days. In value terms, losses due to fraud on UK cards hit £609m in 2008, but in 2010 fell to £365m.
GT – Is there room for further improvement?
Yes, there is – since 2010, ‘Card not present’ fraud has started to decrease for various reasons: more secure data; mandates from the banks about the three-digit code on the back of the card; and the ‘Verified by Visa’ and SecureCode initiatives. We’re also seeing a movement at call centres where they will have ‘clean rooms’ with no mobiles, external devices or pens and paper. All of these steps are designed to reduce the opportunities for hackers to gain access to payment card details and then use them fraudulently.
GT – How is PCI DSS relevant for grocers?
Any merchant taking payment from a card badged Visa, Mastercard, Amex, JCB or DiSCOver must comply with the standard. The PCI standard is global and applies to any debit, credit or payment card issued by these schemes.
GT – What are the steps to achieving compliance? Are there different levels of compliance for different size organisations?
Merchants are categorised at four levels, based on their number of VISA, Mastercard and other card transactions taken per year. Level 1 is over six million per year, level 2 is over one million, level 3 is aimed at e-commerce retailers with over 20,000 transactions taken over the web, and level 4 covers the rest.
GT – How are they vetted?
Level 1 merchants must have an annual audit and report, which is performed by an external QSA. If you need to find a QSA then the PCI DSS web site lists all the QSA companies, of which we are one. We tend to find that many QSA’s come from pure security backgrounds and have little retail or payment knowledge. As a company who has a team of QSAs,. we believe our benefit is that we are both payment and security specialists, making us quite different from the rest. We understand payment processes and the underlying issues – payment authorisation, refunds, settlements and charge back procedures, for example. Consequently the advice we can provide reflects Level 1 customers’ business needs more closely, and integrates better with their business than other available solutions.
Level 2 businesses either call in a QSA to prepare a report, or may have their own trained internal auditors who complete a self-assessment questionnaire, and those at Level 3 and 4 complete a self-assessment questionnaire (SAQs). A lot of merchants at these Levels prefer an external consultant to advise on how to interpret the standard, remediate their environment and then complete the questionnaire for them.
GT – How tough is the PCI audit?
The PCI audit is very prescriptive, and very thorough. A lot of standards talk about setting up targets and selecting controls to manage risk, but this standard demands a set of predetermined controls on existing data. PCI insists on controls with little latitude and merchants do find it hard to achieve, however it does mean you achieve consistent standards across the board.
GT – What can happen if people don’t comply with PCI DSS?
The consequences can be disastrous for the merchant. A merchant would be deemed liable for any losses associated with the theft of cardholder data in their possession if they are not PCI DSS compliant. First there are the possible direct financial losses due to the fraud, and then the fines and legal costs, and the unavailability of senior management to run the business, due to being tied up in the aftermath of the fraud. Being positive, PCI DSS compliance protects your reputation and brand, and the standard itself can be used as a template for securing all your card transaction and personal data. If a merchant is compliant, they are deemed to have achieved PCI Safe Harbour, which removes the threat of fines and liability for the losses associated with a breach.
GT – Isn’t having Chip and PIN enough protection against fraud?
In the UK you need a minimum of Chip & Pin and PCI Safe Harbour – if you have a breach while compliant, you won’t suffer any losses. In virtually all breaches, the merchants affected have been non-compliant with PCI DSS. If you reach this standard, the various card schemes will accept the residual risks.
GT – What does Chip and PIN cover?
Chip & PIN is far better than a magnetic strip, but it’s still not a 100% solution. Firstly it only protects card present payments: in this case, the card holder data transmitted is of far less use to a hacker than the data from the traditional magnetic stripe, but is still exposed. The fraud stats show Chip & PIN transactions gives more protection, but certain elements are not covered – for instance, if the merchant accepts foreign cards with magnetic stripe only e-commerce transactions or card data over the phone, then chip & Pin is not utilised.
GT – VISA has just brought in the Technology Innovation Programme, addressing PCI DSS. What effect does that have? Doesn’t it cover everything?!
TIP slightly reduces the impact for merchants who only take Chip and PIN transactions, but retailers and merchants must still achieve compliance. The PCI DSS standard is broken into six milestones: if you only have Chip and PIN transactions, you only need to achieve the first four, not the final two. But that’s only VISA: Mastercard haven’t yet made any announcements in a similar regard, so you will still need to achieve all six milestones if you accept Mastercard.
GT – As I understand it, the banks physically supply the Chip and PIN terminals to smaller stores. Don’t they sort out all this compliance business for the retailers as part of the service?
Risk is certainly reduced, however there are still some residual responsibilities: smaller retailers who only have ‘PDQ’ phone terminals have to go through a reduced SAQ procedure with a far smaller set of questions. However all the major retailers have integrated Chip & PIN devices with their PoS devices, so all the cardholder data flows across the network and is within the scope of PCI DSS.
GT – We’ve talked about in-store transactions, with the cardholder present. How can PCI DSS make card payments through web sites more secure?
A large amount of hacking in the UK targets web sites. There are various steps: the first is, make the e-commerce environment more secure. Between 80-90% of all hacks exploit well-known vulnerabilities on sites that haven’t been patched or properly secured. Second, e-retailers can use a third-party payment provider – a pay page – to handle payments on their behalf. This can take the e-commerce website out of the flow of the card data and the merchant’s web site never ‘sees’ the card data. To be honest, this seems to be how the banks prefer the smaller merchants to work.
GT – Do you offer one-off services or ongoing partnership and handholding?
We offer both: in particular, my team are skilled at handholding client through remediation, starting with a gap analysis of the weak points and looking at how they’d fail, then redesigning or remediating the system architecture to achieve compliance. After that’s in place, clients also bring us in when new projects or programmes are introduced. We get to know the client’s environment very well and can return easily to the client to help with their future needs, because we understand the key points and drivers.
GT – How long does it take to achieve compliance and put all this protection in place?
It depends on the merchant – a small retailer with ‘PDQ’ could take a couple of weeks, and a big retailer can take up to two years, which may include changing their processes. It really depends on the merchant and the environment.
GT – We live in an anxious age. If I call in The Logic Group to improve my security, how do I know my data and processes will be secure in your hands?! Who vets The Logic Group?!
Another external QSA audits our managed service environment under the PCI standard. In addition our QSA team is QA’d and we are accredited annually after an examination by the PCI SSC. We run systems for many large financial institutions, who also have their own auditors, and we’re on the published list of QSA’s approved by PCI.
GT – Are you approved by all the issuing banks and card services? Which industry bodies do you work with?
We’re approved by all the accepting banks, and we work with the UK Payments Administration Ltd (UKPA), previously APACS, the Association for Payment Clearing Services, and PCI SSC, the PCI’s Security Standards Council. I’m on some of the PCI SSC’s Special Interest Groups, including Scoping and Point-To-Point Encryption.
GT – How do you charge for your services?
We offer QSA services as a fixed price charge, a consultancy service, or whatever suits the client better. If people want our services on a call-off basis, we’re happy with that too.
GT – Who do you work with in a company?
We work from day to day with the IT department and the business on remediation and go all the way up to the board as required, often being asked to present our findings to the CEO and fellow directors. With the current public visibility of hacks and the possible brand damage, boards want to understand fully the risks and their responsibilities
GT – Do you train the front-line staff and advise their directors?
Yes, we do. Part of the requirement under PCI DSS is security awareness training, including ‘train the trainer,’ and front end, back end and technical staff. For one high street retailer, we trained all the internal audit and store staff from the point of view of the policies they need to have operating cardholder data such as that on receipts, charge backs and so on. The PCI standard also covers the requirements regarding people, processes, contracts, employment procedures and background checks that companies need in place to pass it.
GT – Can people who are interested go online and see the full scope of your services?
Yes, it’s all on our website, which describes our services in detail. The pcissc.org web site has full information on the standard, the Self Assessment Questionnaires and the Qualified Security Assessors.
GT – I don’t suppose you can name your customers, but can you talk about the various organisations you help?
Many known high street retailers call us in to carry out a compliance gap analysis. We help clients at every level, from Level 1’s requiring a remediation and audit service down to level 4’s needing phone support. In the rest of this spread you can read about our work in the Loyalty area for Musgrave.
GT – You exhibited at the recent Retail Business Technology Expo. What were your main themes?
Our main themes were managed payments fraud and loyalty schemes. I talked in the seminars on trends in Fraud and security and point-to-point encryption and tokenisation.
GT – What is Point-to-Point Encryption?
It involves larger retailers looking at securing their cardholder data to a specific standard, capturing data at the Chip&Pin device and then encrypting it while still in this device and then transmitting it still strongly encrypted. Large numbers of card present merchants are considering this at the moment. I sit on the PCI SSC’s Point-to-Point Encryption special interest group, looking at defining the standard for these solutions.
GT – What is tokenisation?
Simply speaking, tokenisation replaces the card number in a transaction with a token, so you can refer to it in the future in loyalty schemes without breaching the cardholder’s security or the PCI DSS. For a hacker the token would be of no use if they tried to use it anywhere else.
GT – You (Robin) are also a regular retail fraud conference speaker. In your speeches, besides ‘call The Logic Group,’ what are your main messages to the retail industry?
My consistent message is that fraudsters and hackers never stop, they simply move to the next easy target. As a retailer you must keep up to date with the latest trends and prepare. As I said earlier, 80-90% of hackers are using standard tricks, finding sites with known vulnerabilities and exploiting them, then hitting on others. Make sure you aren’t one of these sites, regularly review your security and make sure you are aware of the risks as they evolve.
GT – Do you think these messages are getting through to the big retailers? Has the penny dropped?
I believe the answer is finally, yes. Brand images and reputations are key, and CEOs appreciate what can happen to their business. This year’s big story is Sony, but they won’t be the last by any means: there’s a high level of awareness in the industry that in the event of a hack, reputation suffers as much as anything. You only see the return on your investment in these services too late, after it’s all gone pear shaped. The figures reflect the fact that in the UK we have seen a real reduction in card fraud, but we still can’t afford to drop our guard for an instant.
GT – As we move further into contactless and mobile payments and cloud computing, how do you see security standards for card payment information and transactions developing from here?
As these technologies become more accepted by retailers, people will move from having a card and a discrete mobile device, to their card being part of their phone. People in the business have been talking about this technology for years, and now it’s starting to arrive, though there’s extensive fragmentation in the market regarding the different payment wallets (payment methods), which will need to play itself out. A lot of card reader devices now have a contactless interface, which opens up new retailing opportunities but are also new areas of security risk that will need addressing.
GT – What’s coming next to follow PCI DSS?
We can expect to see more ‘flavours’ of PCI and initiatives emerging to reduce the burden of responsibility on the merchant, with the PCI DSS standard changing and developing to reflect the evolving threat.
GT – Where do you see The Logic Group going from here?
We see an evolving integration between managed payments and loyalty with a growing body of insights in terms of customer data and ‘opt in’ and buying behaviour. With these services fully integrated, we will offer our customers an extremely powerful solution indeed.
The Logic Group Robin Adams
direct +44 (0)1252 644 320
mobile +44 (0)7919 922749