Payment Cards and Data Breaches

Posted by Mark Greisiger

A Q&A with Grayson Lenik
The retail industry is now the top target for cybercriminals, according to the 2013 Trustwave Global Security Report, and payment card data (PCI) is a critical area of concern. Yet many businesses, especially smaller retailers, are still unaware of basic PCI requirements. I asked Grayson Lenik, senior security consultant at Trustwave, for an overview of what small merchants need to know.

Can you give us a summary of the key PCI threats and requirements facing retailers today?
I wish I could say it was complicated, but it’s really not. The basics of the PCI requirements, such as installing a firewall to protect data and creating strong passwords, are still killing people, especially small merchants. Without a good firewall configuration, you’re leaving remote access wide open to the internet. As far as the passwords go, I don’t know if it’s that people are not in tune with the basics of security or whether they are not aware that they need to change the defaults, but either way, weak passwords combined with easy remote access are a recipe for disaster.

In the PCI arena, the biggest threat to everyone is organized crime—large crews who are dedicated to stealing cardholder data. There’s a sophisticated black market surrounding the sale of this information. If a hacker wants to find a specific credit card from a certain region he could easily find it. So we know the operations are out there and they are very well developed.

What areas are your clients struggling with most?
I really think the big piece is education. That’s the first priority. I handle these breaches all the time and I find out from the business owners that this is the first time they’ve heard of PCI compliance. They ask, ‘Why didn’t my merchant bank or anyone ever talk to me about this?’ That’s remarkable since the regulation has been on the books for 10 or 11 years. Aside from that, it’s the basics: storage of cardholder data, firewalls and two-factor authentication.

People worry that it’s going to be very expensive, but there are very simple ways to comply. There are whitepapers available geared toward smaller merchants, about purchasing and configuring a firewall for less than five hundred dollars. Trustwave specializes in managed security services and offers a preconfigured firewall complete with two-factor authentication, including digital certificates, which is ideal for a smaller business such as a restaurant or small retail store.

Thankfully, I think the mainstream media is starting to do a better job of covering the topic so people are becoming more aware that small merchants are also at risk.

Do you see any trends for key causes of a PCI breach?
I think that goes right back to the first question. We see a lot of everything but remote access and weak passwords are still the biggest causes of PCI breaches. The big trend we saw for 2012 was the rise in eCommerce attacks. It’s frightening to see how simple it is for hackers, even hackers with a low skill level, to exploit these sites. I would recommend anyone in the security profession or even anyone who develops websites to test their own security on their own websites. With even some minimal steps, you can prevent these attacks.

In summary…
PCI continues to be a thorn in the side for many clients, and for many of the reasons that Mr. Lenik mentions. Often, it is the simple mistakes and commonly known exploits that can trip up organizations—and some mistakenly believe they have no credit card liability exposure if they outsource credit card processing (this is not the case in the eyes of victims or their lawyers). I personally feel that PCI is a fairly complex, granular and ever-changing standard that can be costly for clients to comply with, year after year. To complicate matters, the class-action plaintiff lawyers look to PCI DSS as an industry “standard of care.” This can increase the liability for a company that suffered a breach and was found to be lacking in a PCI-required practice that might have contributed to the incident (even if they were otherwise 95% compliant). On the plus side, regarding PCI as a standard of care can be useful to businesses in retail and beyond.