Strike back on payment security
Passing the annual compliance assessment is just the start of a vigilant security program, says Stephen Orfei of the PCI SSC.
Strike back on payment security
Make no mistake, we are in a battle. Cybercriminals are raiding our financial system. Armed with malware and hacking expertise, they are sneaking by breakdowns in security protocol. Many of these attacks are preventable. The key is grasping how they do it and knowing how to strike back.
The common attack pattern – as outlined in Verizon's “2014 Data Breach Investigations Report” – is hacking into a vulnerable back office PC to implant malware. This paves the way to compromising connected point-of-sale (POS) devices and systems, collecting magnetic-stripe data from live transactions, exfiltrating the stolen data – and cashing in. Many of the breaches so far reported in 2015 have continued using this tactic.
So how do you strike back? The PCI Council recommends three tactics: Ongoing vigilance, proactive security and solid preparation.
Malware is typically installed because missing or lapsed controls allow access into systems attached to the cardholder data environment (CDE). In many of the recent breaches, attackers exploited remote access methods to implant malware on vulnerable back office systems that typically ran an unpatched older operating system. This is an easily preventable breach of security protocol! Vigilant risk mitigation means your controls must ensure that: Software is frequently patched and up-to-date; configuration settings do not expose devices and systems to exploitation; monitoring includes internal and third-party access to systems in the CHD; and access security includes strong authentication and strong passwords.
"There is no silver bullet
Ongoing vigilance means you are continually monitoring controls as “business as usual.” These controls are your lifeline for they will identify suspicious activity that may indicate a potential breach – and let you react quickly to remediate vulnerabilities.
To ensure strong POS security, your organization should use PCI-approved point-of-interaction devices that encrypt data where it's captured. This prevents exposure of plaintext cardholder data in these attacks. Also, consult your POS device vendors and IT partners to understand options for strengthening security with point-to-point encryption and tokenization throughout the cardholder data environment. These technologies have the potential to make cardholder data unusable and worthless if stolen. Finally, 2015 is a big year of transition as merchants in the U.S. implement EMV (Europay, MasterCard and Visa) chip cards to reduce fraud in card-present transactions. Used together with PCI standards, these technologies provide a layered approach to payment security that makes theft of cardholder data a non-event.
Often an organization's approach to PCI security is to focus on passing the annual compliance assessment. But this is just the start of a vigilant, proactive security program. Organizations also need to anticipate and assess new risks in order to get ahead of emerging threats. Ongoing threat assessments and gap analysis will help to identify vulnerabilities and risks – and opportunities to improve security with technologies such as encryption and tokenization.
There is no silver bullet to security or preventing breaches. Yet, with a multi-layered approach that includes vigilance in monitoring and managing access, proactively strengthening security at the point-of-sale and actively preparing to meet new threats, your organization can significantly reduce the types of risks that have enabled recent breaches. Take action now and strike back with confidence to ensure the safety of cardholder data.
Stephen Orfei is general manager of the PCI Security Standards Council.