Today, all credit card merchants, service providers and retailers who process, store and transmit cardholder data have a responsibility to protect that data and must comply with a diverse range of regulations and industry mandates as well as a growing list of voluntary “best practices” frameworks. These include the venerous Sarbanes-Oxley bill (better known as SOX or SarbOx), the Payment Card Industry (PCI) data security standard, the Gramm-Leach-Bliley Act of 1999 and even HIPAA (healthcare providers take credit cards too!). Not complying with the above might result in fines, legal exposure, or both, although it is widely known that the regulation differ wildly in regards to their “teeth.” For instance, it was reported that nobody was ever fined for being out of compliance with HIPAA.
But this is easier said than done. Immense volumes of log data are being generated on such payment networks, necessitating more efficient ways of managing, storing and searching through log data, both reactively – after a suspected incident – and proactively – in search of potential risks. For example, a typical retailer generates hundreds of thousands of log messages per day amounting to many terabytes per year. An online merchant can generate upwards of 500,000 log messages every day. One of America’s largest retailers has more than 60 terabytes of log data on their systems at any given time. At the same time, unlike other companies, the retailed often have no option of not caring for logging.
The importance of effective and efficient log data management in payment networks cannot be under emphasized. In fact, the result of data mismanagement can be devastating. Retail Ventures Inc., for example, lost personal customer information from 108 stores in its DSW Shoe Warehouse subsidiary, an incident that involved 1.4 million credit cards used to make purchases. The lost data consisted of account numbers, names, and transaction amounts. Similarly, CardSystems was sued in a series of class action cases alleging it failed to adequately protect the personal information of 40 million consumers. At an individual cost of $30 per consumer the costs of repairing the damage could be as high as $1.2 billion. What is interesting is that in a latter case, only a smaller number of cards was “confirmed stolen”, while the rest were not “confirmed safe,” since there were no logs to prove that they were not.