Many Retailers Taking Big Chances with Test Data

By Evan Schuman  |  Posted 06-15-2007

A high percentage of retailers are using unprotected customer information when they test their credit card processing systems, leaving the door open to a host of security problems, analysts say.

The problems arise when retailers, seeking to test any system that might impact credit card processing (point-of-sale upgrades, operating system patches, database changes, and so on) use credit card numbers, expiration data and verification codes from actual customers. Tests even include the deduction of money from the customer's account and the crediting of the retailer's account.

Since no organization has created a set of secure, non-customer data specifically for test transactions, retailers have few options other than using real customer data. Many in the retail industry see this as a recipe for security disasters.

"Some 90 percent of the retailers out there don't even realize how big a problem test data security is because they don't know the test environment," said David Taylor, president of the PCI (Payment Card Industry) Security Vendor Alliance, in Stamford, Conn. If auditors knew what to look for, "you could easily have 75 to 85 percent of retailers fail on this criterion alone."

Although Taylor said that few retailers understand this, that ignorance is not shared by cyber-thieves looking for the easiest way to get into retail networks.

"External hackers and (ill-intentioned) internal IT people—if they're going to attack anywhere, they're going to attack a weak link," Taylor said. "This is one of the most well-known weak links. If you're going to attack, this is where you're going to attack."

The question of protecting customer data during retail POS testing is also a concern of Richard Simpson, a 21-year Bank of America veteran who recently took a newly created position at the Federal Reserve Bank in Richmond, Va. Simpson's new job—senior IT risk coordinator within the Fed's banking supervision and regulation area—gives him the daunting task of "raising awareness of risks that might undermine public confidence in the U.S. financial system." Simpson sees retail test data procedures as just such a risk.

Read the full story on eWEEK.com: Many Retailers Taking Big Chances with Test Data