Risk

10/26/2012
12:05 PM
50%
50%

Ten Ways To Secure Web Data Under PCI

PCI compliance can create headaches for companies that do online commerce. Is your e-business ready?

Whether they're brick-and-mortar or online, merchants find the Payment Card Industry's requirements for protecting credit card data challenging and confusing.

But all retailers must understand how to protect the credit card and other customer data that comes from online transactions, because their businesses are in cybercriminals' crosshairs. Retailers are the second leading source of leaked data (after the hospitality industry), accounting for 20% of total breaches, according to Verizon's 2012 Data Breach Investigations Report. And though the U.S. Census Bureau reports that e-commerce transactions account for only about 5% of the retail economy, they've steadily grown every year.

"It's an interesting world out there, and a very scary world for a merchant, because from day one, you're a target," says John South, chief security officer for payment processor Heartland Payment Systems.

Many of the retailers playing in this scary online world are small businesses, and they're the most vulnerable: Nearly 95% of breaches happen to merchants with 100 employees or fewer, according to the Verizon report. They don't have the dedicated security and risk management teams larger businesses have.

"We aren't seeing a lot of large-scale breaches. We're seeing much smaller breaches," says Bob Russo, general manager of the PCI Security Standards Council, the governing body for PCI's Data Security Standard (PCI DSS). "These standards are right on target for the big guys with the big security departments, ... but we have to find out a way to make it easier for the smaller merchants."

Online retailers have one big security requirement that the 100% brick-and-mortar corner store doesn't have: card-not-present transactions. Because customers don't physically hand over their credit cards for online purchases, payment processors require all online merchants to submit to a quarterly network scan by an approved security vendor. Such scanning is designed to detect vulnerabilities and misconfigurations.

Many online retailers aren't aware of this and other PCI requirements and how to deal with them, but simple steps can make a big difference when it comes to protecting customer data. The Verizon study found that 96% of victims of successful attacks had failed to comply with the PCI rules they were subject to, and 97% of breaches could have been prevented through simple or intermediate security controls.

The following 10 steps will help your company institute the controls needed to secure cardholder data and meet PCI's requirements.

1. Know Your Infrastructure

Online merchants must worry about the degree to which their online retail systems integrate with their day-to-day business networks. Start by assessing your infrastructure to determine which systems handle transaction and cardholder data.

Network scanning and log analysis can help identify which systems have access to card data, says Greg Rosenberg, a qualified security assessor with managed security provider Trustwave. These systems are the ones that you'll want to subject to PCI DSS.

"There are a lot more attack vectors--a lot more systems--that we find and can identify vulnerabilities in than customers know about," Rosenberg says.

Get a qualified security assessor involved, he says. "I'm not looking for who can get me through my audit really quickly, but who can help me understand my risk," Rosenberg says. "I would rather significantly reduce my risk posture than quickly pass PCI."

2. Find The Data

Companies save card data for three main reasons: to better handle customer service requests, to allow easy reuse of credit cards, and to handle chargebacks, according to the Ponemon Institute's 2011 PCI DSS Compliance Trends Study. "We still have way too many companies using credit card numbers as the primary identifier for their customers," says Martin McKeay, a security evangelist at Internet services company Akamai.

Whatever the reasons for hanging on to customer data, companies should hunt down every instance on their systems, whether on Web servers, in a customer service application, or on a sales associate's laptop. Discover where the data resides, who has ac- cess to it, and whether they need the information at all.

Marketing types, for instance, want to save everything, "because someday they might use the data to send someone a coupon," says PCI SSC's Russo. "If you don't need the data, don't store it."

chart: Percentage of companies that passed the three most difficult PCI requirements last year

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Previous
1 of 3
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Making the Case for a Cybersecurity Moon Shot
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  2/19/2019
New Free Tool Scans for Chrome Extension Safety
Dark Reading Staff 2/21/2019
Privacy Ops: The New Nexus for CISOs & DPOs
Amit Ashbel, Security Evangelist, Cognigo,  2/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-1698
PUBLISHED: 2019-02-21
A vulnerability in the web-based user interface of Cisco Internet of Things Field Network Director (IoT-FND) Software could allow an authenticated, remote attacker to gain read access to information that is stored on an affected system. The vulnerability is due to improper handling of XML External E...
CVE-2019-1700
PUBLISHED: 2019-02-21
A vulnerability in field-programmable gate array (FPGA) ingress buffer management for the Cisco Firepower 9000 Series with the Cisco Firepower 2-port 100G double-width network module (PID: FPR9K-DNM-2X100G) could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) conditio...
CVE-2019-6340
PUBLISHED: 2019-02-21
Some field types do not properly sanitize data from non-form sources in Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10. This can lead to arbitrary PHP code execution in some cases. A site is only affected by this if one of the following conditions is met: The site has the Drupal 8 core RE...
CVE-2019-8996
PUBLISHED: 2019-02-21
In Signiant Manager+Agents before 13.5, the implementation of the set command has a Buffer Overflow.
CVE-2019-1681
PUBLISHED: 2019-02-21
A vulnerability in the TFTP service of Cisco Network Convergence System 1000 Series software could allow an unauthenticated, remote attacker to retrieve arbitrary files from the targeted device, possibly resulting in information disclosure. The vulnerability is due to improper validation of user-sup...