Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk //


10:42 AM

PCI Rules Apply Even On Black Friday

Uptime might be the name of the game during the holiday shopping season, but retailers need to balance the focus with security and compliance best practices

As the calendar begins to barrel straight past the Thanksgiving sizzle of roasted turkey and right into the ka-ching of Black Friday and Cyber Monday, IT departments at retailers around the world are already singularly focused on money-making uptime. But security experts warn that during this busy time of year, retailers need to remember that security and PCI compliance issues don't just go away.

"With billions of dollars expected to be spent online during the holiday season this year, retailers not only need to worry about making sure their websites can handle the influx of shoppers, but also that it’s secure," says Mandeep Khera, CMO of LogLogic. "Merchants who collect credit card information have to be extra careful about a potential breach -- both to protect their brand and to be PCI-compliant."

But the truth is that at many organizations, the holiday shopping season isn't just a time for chocolate fudge -- it's also time for fudging on the security rules and mindset laid out by PCI guidelines. According to Branden Williams, global CTO of marketing at RSA, The Security Division of EMC and a member of the PCI Board of Advisers, most retail outfits of all sizes have already entered a network freeze period during which no changes of any type can be made to avoid even the whisper of complications that could cause downtime. That's well and good from a business standpoint, but the truth is that vulnerabilities that need patching and mitigation don't take a raincheck during the high shopping season, he warns.

"We've already entered the network freeze for most of these companies, so no changes to network components, system components, or applications are going to occur for the next month-and-a-half, until the middle of January. Nobody wants to get in the way of payments from going through," Williams says. "Even though I understand it, it still amazes me because it impacts some of the decision-making criteria about how severe a vulnerability might be. When I see a patch that comes out, theoretically if I'm doing this right for PCI purposes, I'm doing a detailed analysis of what the patch is and a risk assessment of what that means for the organization. I would hope that something that looks like a severe vulnerability would not be ignored in favor of the freeze."

But having worked with many retail organizations during his tenure before RSA, Williams says the mindset many retail technology executives harbor is that they are "compliant" unless a breach occurs. It's the retail version of Russian roulette.

"A lot of merchants feel this way, but they probably won't tell you this. In the back of their heads they're saying, 'I'm compliant until I'm compromised. If I let this ride for three weeks and nothing happens to me as far as breaches are concerned, I'm scot-free. I got away with it,'" he says.

Unfortunately, the bad guys are waiting to pounce on these transgressions. Where there are transactions, there are fraudsters looking to take advantage, which makes this time period ripe for abuse from the cybercriminals. Getting caught up solely in uptime issues without balancing security and compliance concerns only further rolls out the welcome mat for these crooks. That is why organizations need to stay on top of the PCI requirements even now, remaining vigilant about activities such as logging.

"Organizations must ensure the integrity of their logs by implementing file-integrity monitoring and change-detection software on logs to ensure that existing log data cannot be changed without notice," Khera says. "With these precautions in place, retailers can ensure that their customers’ credit card information is secure this holiday season.”

Tim "TK" Keanini, CTO for nCircle, agrees, stressing that amid the hustle of the holidays, retailer IT staff need to be on high alert.

"Approach every online communication with a jaded, cynical eye. Take the time to double check anything that seems even remotely suspicious. Make your partners prove they are who they say they are; if you have any doubt, pick up the phone and call to verify any strange communication," he says. "Check out the extended certificates of websites to be sure that the site you landed on is where you wanted to go. There is no such thing as too much paranoia when it comes to digital communication.”

Ideally, Keanini says, organizations have already put their house in order with PCI scans and audits prior to Black Friday because, as his colleague Andrew Storms puts it, PCI compliance is an everyday activity that doesn't change with the seasons.

“If you follow PCI compliance requirements all year long, then you don’t need to do anything different for the holidays," says Storms, director of security operations for nCircle. "Good security and compliance processes and policies work just as well in July as they do in December. If you aren’t PCI-compliant year round, all you can do now is patch and pray.”

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
Can Your Patching Strategy Keep Up with the Demands of Open Source?
Tim Mackey, Principal Security Strategist, CyRC, at Synopsys,  6/18/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-06-19
A double-free can happen in idr_remove_all() in lib/idr.c in the Linux kernel 2.6 branch. An unprivileged local attacker can use this flaw for a privilege escalation or for a system crash and a denial of service (DoS).
PUBLISHED: 2019-06-19
Stack-based buffer overflow in Advantech WebAccess/SCADA 8.4.0 allows a remote, unauthenticated attacker to execute arbitrary code by sending a crafted IOCTL 81024 RPC call.
PUBLISHED: 2019-06-19
In Apache Allura prior to 1.11.0, a vulnerability exists for stored XSS on the user dropdown selector when creating or editing tickets. The XSS executes when a user engages with that dropdown on that page.
PUBLISHED: 2019-06-19
When using gdImageCreateFromXbm() function of gd extension in versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6, it is possible to supply data that will cause the function to use the value of uninitialized variable. This may lead to disclosing contents of the stack that has been ...
PUBLISHED: 2019-06-19
Function iconv_mime_decode_headers() in versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6 may perform out-of-buffer read due to integer overflow when parsing MIME headers. This may lead to information disclosure or crash.