Shoring up Cybersecurity at One of the World’s Largest Retail Organizations
The U.S. Postal Service wins the Silver Alexander Hamilton Award in Operational Risk Management & Insurance!
Retail is an industry in transition, as technology continues to present new avenues for consumers and businesses to make purchases—and simultaneously gives cyberattackers new opportunities to steal personal and financial data.
Few organizations experiencing this evolution compare in size and scope with the 31,000 retail locations and 634,000 employees of the U.S. Postal Service (USPS). Including online and call center sales, the Postal Service processes nearly $17 billion in credit- and debit-card transactions annually, and more than $30 billion worth of ACH payments from business customers. Keeping those transactions secure is a duty of the treasury function.
“Treasury has responsibility for managing the contracts for payment processing and the agreements with the credit-card brands,” says Elizabeth Richardson, assistant treasurer for customer payments at the USPS.
Attackers could potentially target payments to initiate fraudulent transactions, steal customers’ financial data, or cause reputational damage, among other goals. Treasury is intent on minimizing those risks. The USPS must also demonstrate once a year that policies, systems, and processes are compliant with the Payment Card Industry Data Security Standard (PCI DSS). To ensure that their organization is utilizing best practices in managing customers’ personal account number (PAN) data, USPS treasury, IT, and security departments joined forces to form a cross-functional payments team.
“We took on PCI and security improvements as a joint project,” Richardson says. “Our groups worked closely together to identify needs and ensure solutions would be effective and meet business requirements. Each of the three groups got an equal vote in the tools we would use, the money we would spend, and how we would reach the state of data security where we needed to be.”
The payments team met with technology vendors to understand what security options were available. Through these meetings, they uncovered several areas with potential for improvement. One revolved around storage of PAN data.
The USPS was using encryption in storing and transmitting customer information, but maintaining a database of customer credit- and debit-card numbers was a risk. Moreover, card numbers appeared on forms in paper files stored by USPS call centers and the payment-acceptance group that receives orders through the mail. The payments team saw an opportunity to eliminate these risks by implementing “tokenization,” a process by which a real, valuable piece of data—such as a card number—is replaced with a different number, a “token,” that has no meaning by itself.
“Each token has the same number of digits as a credit-card number,” says Jeffrey Merritt, manager of PCI compliance for the USPS. “But if someone gains access to our systems and steals financial transaction data, they cannot use the tokens as they could use credit-card information. Our goal was not to remove the safe from the office, but to take everything valuable out of the safe and replace those items with things that have no value.”
Once the payments team had an end-state in mind for the tokenization project, they began selling their vision to different USPS functions. The first step in the evangelizing was to understand each affected group’s business processes. “We had to understand what they were doing so that we could assure them tokenization wouldn’t interfere,” Richardson says. “That required a lot of communication, all the way up and down the food chain. We had to make sure our solution would meet the business needs of each group, and then we had to show them how their systems or processes would work in the new environment.”
As an example, Merritt points to the process of researching disputed charges. “Perhaps someone sees two charges on their card when there should be only one,” he says. “Or maybe they call and say, ‘I didn’t buy anything at the post office.’” Convincing the accounting team that they should be able to research discrepancies without access to the card number in question required a sales pitch. “In some large organizations, the accounting group would just say, ‘We can’t do that,’” Merritt speculates. “When we approached our accounting team, we assured them that we wouldn’t implement anything unless they were on board. As a result, we found folks who were willing to listen to our explanation of why they didn’t need credit-card numbers to research disputes or process refunds. Our accounting organization deserves a lot of credit for being open to this change.”
The payments team put a great deal of thought into communications and change management. “We needed to explain what was happening, when it was happening, and how people’s jobs would be affected—to hundreds of thousands of employees, many of whom had been doing their job in the exact same way for decades,” Merritt says. “In communicating to that many people, you have to be very precise. Each audience is different and understands messaging differently; you have to find a way to catch their attention and make the message relevant to them. So we gave a lot of thought to the ways in which we created communications for each specific group of employees.”
Adds Richardson: “It was also important to recognize that different groups use different vehicles for internal communication. Some groups we met with in person. We obviously couldn’t do that with the 200,000 retail associates in the field, but they have specific guides and trainings that we participated in. For each group, we discussed what they were doing in the legacy environment and then talked through how their user stories would change.”
The payments team gained buy-in across the company, and the USPS tokenized all card information. Now, for e-commerce orders, the USPS’s payment processor receives card numbers directly from customers when they enter their payment information into an HTML inline frame (iframe) on the USPS website. “We’re no longer touching that information at all,” Merritt says. When an order comes into the call center, the customer verbally provides a card number. The call center agent enters payment information into software that tokenizes it before transmitting it across the network.
See also:
Likewise, the USPS stores some customers’ card information—for example, to make recurring monthly payments for a post office box. This card data is also tokenized as it is inducted into the appropriate database. The fact that card numbers are no longer stored in the database or transmitted to the payment processor has “dramatically reduced the risk profile for locations across our enterprise,” Merritt says. “The payment processor is certified by the card brands, so we are confident in its data security. And we’ve reduced to zero the chances that a nefarious party will get access within our infrastructure to card data they can use.”
After training employees organization-wide on the new tools, the payments team followed up to make sure everyone is using the technology in the way they’re supposed to. The payments team continues to look for new ways to boost security. “What we did with tokenization is a major accomplishment,” Merritt says, “but we have to be dynamically looking for new ways to protect our environment.”