FIN6, a cybercrime gang, is targeting retail and hospitality point-of-sale (POS) devices to steal payment-card information and put that data up for sale quickly online, says cybersecurity firm FireEye. The gang has stolen data for about 20 million cards. In one case, FireEye observed that FIN6 had installed malware on POS devices to obtain information from the payment card’s magnetic stripe.
FIN6 is not the only threat to payment card information, and these cybercrime activities exact a high cost to both businesses and consumers. The latest numbers from the Ponemon Institute, an independent research firm that studies IT security and data protection, show that the tangible costs of data breach increased to $3.79 million in 2015. That doesn’t count things like reputation, goodwill and consumer trust.
Ensuring consumer trust in the credit and debit card system is a goal of the Payment Card Industry Data Security Standard (PCI DSS). Mandated by Visa, MasterCard and other card issuers, PCI DSS requires entities that store, process or transmit cardholder or authentication data to comply with certain data protection measures and submit to regular security audits.
Compliance with PCI DSS will not prevent a data breach. However, the standard represents baseline security measures that go a long way toward protecting cardholder information.
PCI DSS specifies a wide range of security controls, such as firewall configuration and maintenance, maintenance of antimalware software, robust access control and authentication mechanisms, and the use of strong passwords. It also requires merchants to establish an information security policy and ensure that all personnel are trained in its requirements.
PCI 3.0, which became mandatory January 1, 2015, went further by introducing a new way of thinking about payment card security. The central message is that security must be an everyday business process rather than an annual compliance report. In the past, merchants often put PCI compliance on the backburner until it had to be assessed and validated, with much of the responsibility falling on the IT department. Today, payment card security is a shared responsibility across the entire organization.
In light of this new approach, PCI 3.0 also added best practices for ensuring compliance on an ongoing basis.These best practices include:
- Regular monitoring of security tools and protocols to ensure they are working correctly
- Establishing processes for quickly detecting and addressing security control failures
- Separating responsibilities for security and operations to create a system of checks and balances
- Determining how changes to the IT environment will impact PCI-DSS compliance, and adjusting security controls accordingly
- Evaluating how mergers, acquisitions and other organizational changes will affect PCI-DSS compliance
While not mandatory, these best practices reflect a strategic approach to combating today’s security threats. They acknowledge that what worked yesterday may not work tomorrow, so constant vigilance is required.
PCI 3.1 was introduced last year to address vulnerabilities in certain encryption protocols. PCI 3.2 was just introduced, requiring multifactor authentication and additional security controls for service providers. More on this in our next post.
Keeping up with the ever-changing threat landscape is a tall order for any organization. Organizations need a trusted partner who can help guide decision-making and deploy robust tools to help bolster their security posture. Atlantic-IT.net, your outsourced IT department, has broad and deep expertise in the latest security solutions and practices. Let us help you maintain your customers’ trust by reducing the risk of a data security breach.