Interviews

Cyber stepping stone

by Mark Rowe

Even the smallest companies need to constantly monitor their payment card data because cyber criminals increasingly use them as a stepping stone to enable attacks on larger businesses, warns Andrew Mason, pictured, co-founder and technical director of penetration testing firm and PCI ASV (Payment Card Industry Approved Scanning Vendor), RandomStorm.

A report in the Times newspaper revealed that the latest Office of National Statistics Crime Statistics for England and Wales had omitted around 3.6 million instances of card fraud, bank and building society fraud.

In the last three years alone, the number of reported breaches show how determined and sophisticated cyber criminals have become in their efforts to access payment card details. Epsilon (March 2011), Sony (April 2011), Zappos (January 2012), Global Payments (March 2012), Adobe Systems (October 2013) Target (December 2013), Neiman Marcus (January 2014), Yahoo (January 2014), Michael Stores (January 2014), White Lodging Services, comprising Marriot, Hilton, Sheraton, Weston (February 2014), PF Chang (June 2014), Supervalu (August 2014), have provided a dozen examples of cyber criminals breaching carefully constructed defences.

Considering the resources that large retailers have to invest in their payment card security, smaller to medium sized retailers might be forgiven for feeling overwhelmed by the scale of the threat to their payment card environment. However, it is important to remember that smaller companies are part of the data value chain of larger organisations and cyber criminals have exploited weak security of partner companies as the initial point of attack on larger businesses.

It has been reported that Target was the victim of a two-stage cyber attack. By gaining access to the network via a third party’s connection, the perpetrators were able to use the “Backoff” strain of malware to steal data from a point of sale (POS) machine. The POS had been deemed to be secure because it had no direct connection to the internet. Having harvested this confidential payment card data, thieves were able to surreptitiously move the data across the internal network onto an FTP server. The perpetrators then began patiently ‘drip-feeding’ the data out of the network over a matter of months, enabling them to steal an estimated 40 million credit card records, without detection.

While the big breaches grab the headlines, it is a mistake to assume that smaller businesses will be passed over by cyber criminals looking for richer pickings. A recent World Pay report revealed that 61% of all businesses that had customers’ data stolen in 2013 were small companies. Applying Defence in Depth to payment card security reduces risks by deflecting opportunistic attackers.

PCI DSS version 3.0 contains 352 controls, over 12 requirements, to provide payment card processors with a structured Defence In Depth methodology to reduce the risk to customer’s payment card data. While 352 controls may seem daunting to smaller retailers, PCI DSS can be simplified to two specific areas of concern – retailers are required to focus on their technology and their retail environment.

The technology environment covered by PCI DSS involves the computer hardware and the system applications that retailers use to process their customers’ payment card data. If a retailer already has a payment system installed that complies with the latest standard for applications, then they have made significant progress towards PCI DSS compliance. The retail environment covered by PCI DSS involves the methods and procedures retailers use to protect their customers’ credit card data. This includes knowing precisely where customer payment card data is stored and ensuring the absolute security of that information while it is being stored. It is essential that retailers only store information necessary to support a business transaction and that they know which individuals have access to that data. PCI DSS stipulates that access should be restricted to those who need to know.

Help is at hand for small retailers that feel overwhelmed by the threat of card fraud. There is a wealth of information about PCI DSS online (https://www.pcisecuritystandards.org/) and a number of Qualified Security Assessors (QSA) who can be consulted. A QSA can coach retailers through the process of applying PCI DSS to their business transactions to assist retailers in ensuring that their technology and retail environment actively protects their customers’ payment card data. PCI DSS is a useful framework and benchmarking tool for payment card security, however, it is important to remember that it is not tailored to each type of merchant. A good QSA can help a business to make informed choices about how to reduce the risk to their specific technology, retail and card environment.

Compliance with PCI DSS not only preserves a small retailer’s ability to process payment cards, it also helps to protect their relationship with their customers and suppliers, which may be much larger retailers.

A Brunswick survey published in June 2014 found 75 per cent of consumers believe that retailers are not doing enough to prevent infiltrations into their customer data and payment systems. The same percentage stated that retailers should be held financially responsible for consumer losses that result from a breach; not banks or card issuers. Worryingly 34 per cent of those surveyed, reported that had stopped shopping at a specific retailer following a data breach.

World Pay stated that the number of credit and debit cards at risk from data security breaches in the UK increased from under 200,000 cards in 2012 to more than 3 million in 2013. No business is too small to be targeted. With card fraud losses totalling £450m in the UK last year and with each payment card record valued at approximately £86, there is a clear business case for investing in professional support to understand how PCI DSS should be applied to businesses of every size.

Visit www.randomstorm.com.

Related News

  • Interviews

    Password roulette

    by Mark Rowe

    UK businesses are playing Russian Roulette with our information, it’s claimed, by continuing to rely on the one security method that is…

  • Interviews

    Cyber crime report

    by Mark Rowe

    Criminals are launching more online attacks on UK businesses than ever, say UK police and cyber authorities in a report to mark…

  • Interviews

    TI is 20

    by Mark Rowe

    In May 1993, Peter Eigen and several dozen global dignitaries in the fight against corruption began Transparency International at a conference in…

Newsletter

Subscribe to our weekly newsletter to stay on top of security news and events.

© 2024 Professional Security Magazine. All rights reserved.

Website by MSEC Marketing