What Everyone Should Take Away from the Recent Retail Breaches
By: Gene Geiger, Partner of A-LIGN
Recent Retail Breaches – What Should You Do
When news of the Target breach was announced, in the middle of the holiday shopping season, it made headlines and re-kindled the debate on payment card data security and more specifically, the effectiveness of the PCI Data Security Standard (“PCI DSS”), which was established to protect payment card data. This debate has only intensified as news of breaches at other major retailers has surfaced.
So what went wrong? How were millions of records exposed? You don’t have to go very far to find the finger pointing and criticism of everyone involved, including Target, the PCI Security Standards Council (“PCI SSC”) and the core infrastructure used in the payment card industry. These discussions will continue and additional guidance may be produced, but at the end of the day, the clients I speak with want to know one thing “What should we do?” Outlined below are some thoughts I would like to share on how to increase the security in your environment.
Security Versus Compliance
Security of information is a mind-set that should be woven into the culture of your organization. The PCI SSC addresses this need in the “business-as-usual” concept that they are introducing with the latest version of PCI DSS, Version 3.0. To be successful against the hackers and criminal elements, the security of your information needs to be a priority for more than just the 30-day period leading up to your PCI DSS assessment; it should be a way of doing business all year long. Security tasks such as running vulnerability scans, patching systems and following a defined process for approving changes in the environment should be embraced as a necessary task that contributes to the long-term success of your organization. Employees should understand that these tasks are not performed to “pass an audit” but are critical steps towards securing the environment. Improvements in these security processes should be constantly developed.
This starts with the tone of management and is demonstrated by their commitment to overall security, not just what is required to comply. It is also communicated through robust security awareness training that communicates users’ responsibility and expectations related to security.
Understanding PCI DSS
To protect the payment card data in your environment, we recommend that you fully understand PCI DSS. The standard was developed to protect payment card data, however, if the individuals responsible for implementing the controls don’t fully understand PCI DSS it is likely that the controls will not be implemented properly. It is also important to keep in mind that PCI DSS is considered the minimum baseline standard. When it comes to protecting your customers’ data, implementing the bare minimum may not be sufficient in your environment.
Additionally, Version 3.0 of PCI DSS addresses many of the risks identified and lessons learned through previous breaches. New requirements to address the vulnerabilities related to point of sale (“POS”) devices, which lead to Target’s breach, are in the new standard. New requirements for training and interactions with service providers are also in the new version. Although implementation of the new version is not required until January 1, 2015, we recommend that you understand the new requirements to determine if you have issues in your environment that should be addressed.
Know Your Payment Card Data
There have been many times where I have met with clients who don’t have a full understanding of the flow and storage of payment card data in their environment. The first step to protecting the data is to understand where it is in your environment. From there you can determine if those systems that impact its security are in compliance with PCI DSS. Additionally, we recommend that you reduce the amount of cardholder data in your environment. This is a requirement of PCI DSS, however we find that businesses have a “keep it just in case” mentality and justify keeping too much payment card data. When it comes to credit card numbers, more is definitely not better. You should take a hard look at what components of the card you store and look for ways to remove or reduce your exposure.
The debate in the industry will continue for many months and possibly years but our focus is to help our clients protect the payment card data on their systems. Our security professionals are available to answer your questions and to discuss ways to strengthen the security of your information technology environment.