Jingle Bells, Retail Sells, Attacks Are on the Way (Part 1)
It’s that time of year where retail booms as the world goes shopping for gifts during the holiday season. It’s a time for retailers to shine. But, it’s also the time where retailers are most vulnerable to security risks as bad actors gear up to target them. In this two part series, we will discuss things retailers should consider this holiday season to better secure themselves from attacks and to ensure continuous compliance to industry regulations.
What is PCI-DSS?
The Payment Card Industry Data Security Standard (PCI or PCI-DSS) is the de facto, and minimum, data security standard that retailers and merchants that process credit card transactions must abide by. Generally speaking, when I hear about compliance with regulations, I usually think of some long, onerous piece of legislation full of legalese that makes it difficult to decipher and understand the compliance requirements. With that said, the PCI compliance terms are actually not all that difficult and are pretty easy to comprehend.
The reason regulation like this exists is to ensure accountability for retailers who are processing credit card transactions and to protect consumers. If payment card data gets breached, there are a lot of downstream people and organizations that are impacted. First, the individual consumers now have personal information about themselves compromised that can be used to make fraudulent purchases on their behalf. In addition, depending on what information gets exposed, it could potentially lead to other forms of identity theft. Second, the credit card companies now have to settle fraudulent transactions with the consumers and merchants and provide new credit cards for affected consumers. Third, the retailer will likely have to absorb shrinkage on any fraudulent purchases for not protecting the consumer’s data properly. In addition to the direct cost, there is tremendous reputational cost for the retailer that can damage the brand for years to come.
PCI-DSS Compliance
Given this backdrop, what exactly does it take to be PCI compliant? As per the PCI Security Standards Council’s Reference Guide, there are twelve things that retailers must do to stay compliant:[1]
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Use and regularly update anti-virus software or programs
- Develop and maintain secure systems and applications
- Restrict access to cardholder data by business need to know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information security for all personnel
Retailers come in all shapes and sizes. With the Internet, it’s fairly easy to set-up your own ecommerce website and take credit card information. Given this ease of entry, the regulations cannot put any undue financial strain on retailers for compliance purposes that would be deemed non-competitive and restrict competition with larger retailers. Despite these constraints, these requirements along with more detailed sub-requirements seem pretty straightforward and things that any retailer of any shape or size could comply with without undue financial burden.
Why PCI is not enough?
As with any good regulation, PCI provides sufficient ambiguity allowing companies and merchants to be compliant without actually solving the root cause problem, which is to ensure security of the consumer. PCI at best provides some best practices that retailers should implement to provide bare minimum controls to protect consumers. However, when you read these requirements you will see that they’re not enough.
As we have seen recently in the retail industry with large scale data breaches at Target and The Home Depot, being PCI compliant is not sufficient. Both of these companies were PCI compliant and yet were still victims of bad actors. In addition, the point of attack for retail may be due to a breach at the point of sale or could be a botnet that triggers a Distributed Denial of Service (DDoS) attack for Internet commerce. Even the best regulations cannot prevent these types of things from happening. Hence, the retail industry needs to think beyond just compliance with PCI and think about what can we do to ensure compliance and security?
Being Compliant and Going Beyond this Holiday Shopping Season
When thinking about this holiday shopping season, it feels like we are more susceptible to a major attack taking place more so than ever. Hence, when we think about retail cyber security, let’s think about how to not only ensure PCI compliance, but what can we do to go above and beyond and ensure we protect consumer payment card data? I’m going to focus on three specific areas that can help you prepare for the real risks this holiday season.
1. Penetration Testing Process – the regulation says that internal and external pen testing must be done at least once annually. This can be done with an external party that conducts the test for you or in house using a penetration testing tool or red team. This will ensure compliance to the standard. However, to fully ensure continuous compliance and security, make the one-time investment in pen testing software so that you can continuously pen test your networks and applications to continuously validate your security posture rather than relying on only one point in time.
2. Vulnerability Prioritization – in section 6.2 of the regulation, it asks retailers to establish a process to identify and assign a risk ranking to newly discovered security vulnerabilities. Using the Common Vulnerability Scoring System (CVSS) for Common Vulnerabilities and Exposures (CVE) that are managed by Mitre Corporation is a great starting point to comply with Section 6.2 of the regulation. However, putting a more comprehensive risk framework that takes into account vulnerability scoring, known exploits associated with vulnerabilities, and the impact a vulnerability has along your attack path to the cardholder data system can help you not only comply with PCI, but can give you better focus and prioritization around which vulnerabilities are critical to fix with your limited resources and bandwidth.
3. Continuous Access Certification – in section 7.2 of the regulation, it asks retailers to establish an access control system for system components with multiple users that restricts access based on a user’s need to know. This can easily be done with an Identity and Access Management (IAM) system that supports attestation and access certification reviews. However, retailers should consider going beyond simply having an IAM system by implementing Identity Analytics tools to understand where risk areas may exist despite your implementation of access controls to potentially account for segregation of duties violations many layers deep in nested entitlement structures. Due to the complexity of the interrelationship of accounts, users, and entitlements, this is not possible from a standard IAM system, so upgrade your compliance and security with better visibility through Identity Analytics.
While the PCI is a start in the right direction, simple compliance with the standard is not enough from a security perspective. Retailers need to investigate and implement tools that will help them ensure compliance and go above and beyond to more effectively prevent and remediate attacks when they do in fact happen.