Cyber-attacks designed for financial gain are on the rise, targeting proprietary information including customer and financial information. With over 127 million records exposed in 2007 in the US alone, attacks are becoming increasingly more sophisticated. Learn more about best practices to protect the cardholder data environment and achieve PCI compliance.
Cyber-attacks designed for financial gain are on the rise, targeting proprietary information including customer and financial information. With over 127 million records exposed in 2007 in the US alone, attacks have become more sophisticated, involving not only attacks at both the network layer and the application layer but also other attack vectors such as social manipulation, breakdown in internal security processes and trusted insider abuse. The cost to businesses, in lost revenue and customer loss, can be staggering. TJX estimates that it spent over $20M related to its late 2006 breach, including settling lawsuits and addressing data security issues.
The Payment Card Industry Data Security Standard (PCI DSS) is a worldwide standard designed to help organizations secure cardholder processing environments.
Best practices to effectively secure the cardholder environment and achieve compliance with the standard start with a properly documented, executive management endorsed, information security policy that must be broadly communicated, tested and enforced. These best practices also include understanding the organization’s cardholder data environment (where the data is located and stored and how it moves between applications), regular monitoring of network for potential vulnerabilities, on-going reporting of network activity, and regular inside and third-party penetration testing.
Targeted, financially motivated attacks via the Internet continue to be on the rise, fueled even further by current economic factors. Internally originated threats are still considered to be a primary cause of security breaches, but external attacks are still a very serious threat. When asked at a recent e-Crime Survey who caused more damage, internal or external attacks, the distribution was fairly even, at 34% vs. 37%, respectively. Acquiring unsecured financial information is the primary objective of hackers and organized crime in order to fuel a thriving black market for stolen credit card numbers, bank accounts, passwords, personal identification numbers and other data. With dramatically reduced budgets, the associated layoffs and fierce competition for revenues, industrial espionage is also likely to pose an increased threat. These attacks not only target online retailers but also, increasingly, higher education, government, manufacturing and bio-medical organizations. Furthermore, breaches now also occur on point-of-sale, back office, and wireless technology systems. Recent reported vulnerabilities, also on the rise (Figure 1), include SQL injections, poor/default server configuration, and Cross Site Scripting.
According to the Identity Theft Resource Center (ITRC), in 2007 the total number of records containing sensitive personal information involved in security breaches was 127,726,343, involving companies that span all industries – retail, education, financial, government, telecommunications, healthcare, publishing, manufacturing, bio-med – no industry was immune. All companies handle personal information of some type, which subjects them to attack.
Recently, the most successful attacks have been sophisticated, targeting particular organizations and designed for financial gain. Attacks have become more complex and involve other factors such as social engineering, insider abuse, and process breakdown in addition to technology weaknesses.
While the impact of the loss of personal information can be traumatic for consumers, who must go through the anxiety and remediation steps of potential or real identity theft, the cost to businesses can be staggering. Fines, loss of revenue, loss of customer loyalty, irreparable damage to brand or image, have all been experienced by organizations that have been hit by a data breach.
Formed in 2004 by Visa, MasterCard, American Express, Discover, and JCB, in response to the emerging threat to cardholder information, the PCI Standard Security Council (PCI SSC) provides 12 requirements that must be met for compliance with the standard; failure to do so may result in steep fines that can reach in the hundreds of thousands of dollars. PCI DSS V1.2, the latest update, was released in October 2008; the complete document, as well as what is new with V1.2 can be found at the PCI Security Standards Council website.