PCI Rules Apply Even On Black Friday

Uptime might be the name of the game during the holiday shopping season, but retailers need to balance the focus with security and compliance best practices
As the calendar begins to barrel straight past the Thanksgiving sizzle of roasted turkey and right into the ka-ching of Black Friday and Cyber Monday, IT departments at retailers around the world are already singularly focused on money-making uptime. But security experts warn that during this busy time of year, retailers need to remember that security and PCI compliance issues don't just go away.

"With billions of dollars expected to be spent online during the holiday season this year, retailers not only need to worry about making sure their websites can handle the influx of shoppers, but also that it’s secure," says Mandeep Khera, CMO of LogLogic. "Merchants who collect credit card information have to be extra careful about a potential breach -- both to protect their brand and to be PCI-compliant."

But the truth is that at many organizations, the holiday shopping season isn't just a time for chocolate fudge -- it's also time for fudging on the security rules and mindset laid out by PCI guidelines. According to Branden Williams, global CTO of marketing at RSA, The Security Division of EMC and a member of the PCI Board of Advisers, most retail outfits of all sizes have already entered a network freeze period during which no changes of any type can be made to avoid even the whisper of complications that could cause downtime. That's well and good from a business standpoint, but the truth is that vulnerabilities that need patching and mitigation don't take a raincheck during the high shopping season, he warns.

"We've already entered the network freeze for most of these companies, so no changes to network components, system components, or applications are going to occur for the next month-and-a-half, until the middle of January. Nobody wants to get in the way of payments from going through," Williams says. "Even though I understand it, it still amazes me because it impacts some of the decision-making criteria about how severe a vulnerability might be. When I see a patch that comes out, theoretically if I'm doing this right for PCI purposes, I'm doing a detailed analysis of what the patch is and a risk assessment of what that means for the organization. I would hope that something that looks like a severe vulnerability would not be ignored in favor of the freeze."

But having worked with many retail organizations during his tenure before RSA, Williams says the mindset many retail technology executives harbor is that they are "compliant" unless a breach occurs. It's the retail version of Russian roulette.

"A lot of merchants feel this way, but they probably won't tell you this. In the back of their heads they're saying, 'I'm compliant until I'm compromised. If I let this ride for three weeks and nothing happens to me as far as breaches are concerned, I'm scot-free. I got away with it,'" he says.

Unfortunately, the bad guys are waiting to pounce on these transgressions. Where there are transactions, there are fraudsters looking to take advantage, which makes this time period ripe for abuse from the cybercriminals. Getting caught up solely in uptime issues without balancing security and compliance concerns only further rolls out the welcome mat for these crooks. That is why organizations need to stay on top of the PCI requirements even now, remaining vigilant about activities such as logging.

"Organizations must ensure the integrity of their logs by implementing file-integrity monitoring and change-detection software on logs to ensure that existing log data cannot be changed without notice," Khera says. "With these precautions in place, retailers can ensure that their customers’ credit card information is secure this holiday season.”

Tim "TK" Keanini, CTO for nCircle, agrees, stressing that amid the hustle of the holidays, retailer IT staff need to be on high alert.

"Approach every online communication with a jaded, cynical eye. Take the time to double check anything that seems even remotely suspicious. Make your partners prove they are who they say they are; if you have any doubt, pick up the phone and call to verify any strange communication," he says. "Check out the extended certificates of websites to be sure that the site you landed on is where you wanted to go. There is no such thing as too much paranoia when it comes to digital communication.”

Ideally, Keanini says, organizations have already put their house in order with PCI scans and audits prior to Black Friday because, as his colleague Andrew Storms puts it, PCI compliance is an everyday activity that doesn't change with the seasons.

“If you follow PCI compliance requirements all year long, then you don’t need to do anything different for the holidays," says Storms, director of security operations for nCircle. "Good security and compliance processes and policies work just as well in July as they do in December. If you aren’t PCI-compliant year round, all you can do now is patch and pray.”

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.