While the US retail industry is reeling from what has been declared by some as the ‘worst breach in history’, the payment breach at retail giant Target has put a very real perspective on the importance of PCI DSS compliance within large organisations.
Up to 70 million customers had payment card and personal data stolen from the company's databases in December 2013 (30 million more than first thought). Target reported that hackers took credit card numbers, names, postal addresses, phone numbers and email addresses, implying that Target stored credit card details against PCI regulations.
With increased scrutiny expected by the payment card brands on POS and payment application security as a result of more stringent standards written into PCI DSS 3.0 and PA DSS 3.0, Target's breach serves as further reminder for why POS systems need to be on US retailers' immediate radar. The US still uses a signature and a magnetic strip to secure transactions rather than an encrypted chip. The introduction of the EMV standard Chip and PIN has radically reduced fraud in many of the countries that have adopted it.
It seems evident that for a hacker to infiltrate Target's network and access the POS application, several PCI DSS and PA-DSS controls were ineffectively implemented. But several Target insiders, who commend Target’s security practices, suggest that it goes further than the POS systems and that some interception must have happened elsewhere in the processing chain. Owing to the sheer scale of the attack during the busiest holiday period, they believe that multiple insiders may have been involved.
Regardless of the intricacies of the Target breach cause, the ultimate lesson is that organisations need to pay greater attention, not only to the POS-related changes put forward by the PCI Security Standards Council, but all areas of security that involves data storage and its access controls.
The overarching theme from the PCI SSC Version 3.0 of PCI DSS is to take a proactive stance when implementing security controls to guard these systems. This will cause merchants to decide that they need to readdress security for their transaction points (POS, online, and contact centres), plus their network, data storage and human access. In the time being, Target is unlikely to be the last breach we see this year.
No comments:
Post a Comment