If you’ve watched the news or read the paper over the past few months, you’ve probably had to stop and check your credit card statements. Big, well known retailers such as Target, Neiman-Marcus and Michaels have all experienced successful breaches that have exposed consumer credit card information – a worst case scenario for any retailer.
What’s happening? Why are these well-known, well-funded, and (seemingly) resource rich companies experiencing significant breaches that jeopardize their brand reputations and leave them open to compliance fines?
These breaches have all been compromises of POS terminals, which today are essentially computers, via malware that was specifically altered for each merchant’s terminals. How the criminals got into the networks and then gained access to these systems has not been disclosed but I don’t think it’s a stretch to state that is was via the common vulnerabilities and attack vectors that are well known and that we all know how to identify and avoid, but don’t always fully address.
Not having all of the information, my take is that retailers are focusing too much on being compliant and not on ensuring they have strong security programs in place. Both disciplines – security and compliance – are critical for businesses, but the fact is that compliance does not equal security and these breaches appear to illustrate this point.
The Payment Card Industry Data Security Standard (PCI DSS) focuses on credit card data – only one of many types of data these large retailers handle – and many retailers try to apply the DSS controls only to the systems directly involved in credit card processing. This creates, in my opinion, a recipe for disaster given that these are large, multi-billion dollar corporations with many internal systems and applications all deployed in a complex multi-site architecture with multiple interdependencies. Trying to only apply the DSS controls to these systems rather than applying strong security principles to all systems and data typically results in a lower overall security posture.
These breaches are timely examples of why PCI DDS was recently changed. One of the bigger changes in 3.0 makes a point of focusing on the security of payment terminals and the possibility of compromise. Since these devices are now computing platforms with operating systems and applications, good security practice requires that they be treated like other similar devices. That requires them to have controls such as malware detection and file integrity monitoring applied to them so rogue applications can be found sooner.
What’s happened to these businesses shows us that a) card attacks are not a thing of the past and b) it is not just smaller sites that hackers pursue because they ‘seem’ like easier candidates. We’re reminded that all companies – regardless of size – must be vigilant and should employ solid security practices that lead their compliance programs. By putting security first, compliance will undoubtedly follow and breaches such as these can be better mitigated.