Forty million credit and debit card numbers were stolen from a national retailer during the 2013 holiday season. Hundreds of thousands of card numbers were heisted from a retail beauty supply chain last spring. Thousands of numbers were lifted from a national chain of restaurants last summer. These incidents make one thing clear: Point of sale (POS) systems are gold mines for cyberthieves.
Hackers aren’t the only ones making advances in this escalating battle. The Payment Card Industry (PCI) Security Standards Council released a new version of its PCI Data Security Standard (PCI DSS v.3.0) at the beginning of 2014. The goal: enhance the security provisions already in place to protect valuable debit and credit card data, as well as the personally identifiable information of consumers.
Enterprises say successful attacks are more expensive than ever. The average breach costs a company $3.5 million, a rise of 15 percent from the year before. Respondents estimated that their organizations invest an average of $7 million a year for security, but they acknowledge that this may not be enough to adequately address today’s threats. Respondents say spending an average of $14 million annually would be better.
Enhancements in PCI DSS v.3.0 are intended to mitigate these consequences for retailers.
“New requirements include guidelines for protecting against the tampering of POS terminals,” says Steven Weil, a senior security consultant at Coalfire Systems, an IT security auditing and compliance advisory firm. “This ranges from maintaining up-to-date inventories of POS systems and periodic inspections of terminals to employee training about point-of-sale security.”
For retailers, updates include clarifications on merchant responsibility for PCI compliance.
“Organizations cannot simply purchase a PCI-certified point-of-sale system and say, ‘Great. I’m done with the PCI,’” says David Russell, principal security engineer at CDW and a former qualified security assessor for the PCI council. “They still have conditional obligations to make sure the systems are installed correctly and that credit card companies are getting appropriate access to the systems according to specific rules.”
Common-sense steps that mirror the best practices outlined in the latest PCI standard, along with a comprehensive “defense-in-depth” strategy that protects the entire IT environment, can achieve both PCI compliance and overall security. Experts say the following six strategies will help.
1. Accurately scope payment card networks.
The goal is not only to gain an accurate view of the network topology, but also to identify the individuals, systems and processes that interact with card data. This information can help organizations find ways to simplify the environment by reducing what resources fall within the scope of the PCI standard. Also essential is a clear understanding of how cardholder and sensitive authentication data flow within the network.
2. Close commonly overlooked security gaps.
Many operators of POS terminals and automated teller machines (ATMs) have a dirty little secret: These systems are still running Windows XP. This comes even after Microsoft ceased security updates and technical support for the operating system in April 2014. Organizations face significant upgrade expenses, but the cost of XP-based intrusions may ultimately be even more painful.
“It’s open season for hackers to attack Windows XP,” says J.D. Sherry, vice president of technology and solutions at Trend Micro, a vendor of security solutions. “This is something that should be on every organization’s mind, whether it’s processing POS credit card information or sensitive information in general — it’s a huge attack vector.”
3. Redouble efforts to block threats beyond the POS environment.
Most attacks come from targeted spear-phishing campaigns similar to those used to breach many IT environments, says Sherry. “End users click on links or open attachments with their emails that infect their devices, which starts the attack cycle,” he says. “If a device used by someone with system administration privileges gets infected, then hackers have the keys to the entire kingdom — access to the payment card network and databases with the personal information of consumers.”
In addition to regular training sessions to keep internal staff members alert to the dangers lurking in emails, organizations should maintain the latest anti-virus, intrusion detection and file-integrity monitoring solutions to protect their operations, Russell adds.
4. Assume you’ve been hacked no matter how well you defend your environment.
“Quite honestly, if cyberthieves want to get into your organization, they’re going to get in. So if you process credit card information, you need ways to quickly discern when a breach happens,” Sherry says.
Early detection reduces the consequences of a breach by limiting hackers to only a small section of the internal network and blocking attempts to export sensitive data to outside command-and-control systems. “If you can prevent data from going out, then you’ve thwarted the attack,” Sherry says.
5. Don’t wait for an annual audit.
PCI audits performed by qualified security assessors are valuable for determining compliance at a specific point in time. But more frequent gap analyses, done by a trusted partner, will not only help ensure successful compliance audits, just as importantly they’ll also help keep enterprises more secure throughout the year.
6. Secure physical devices.
POS security requires battening down transactions emanating from physical hardware, such as card readers. Help may come from the payment standard known as Europay/MasterCard/Visa (EMV), also known as a chip-and-pin protocol, which is expected to be widely deployed throughout North America by 2015.
To learn more about the latest version of PCI, check out our webinar, “PCI Data Security Standard 3.0,” at CDW.com/PCI-Compliance