PCI Spotlight
Time is running out for organizations that handle credit card payments to make their systems PCI compliant. In less than two months, the Payment Card Industry (PCI) Security Standards Council, which represents credit card companies, will bring the PCI Data Security Standard (DSS) into force to help safeguard customer data. But there are fears that many businesses, particularly smaller retailers, government departments and utility companies, will not be ready in time and could face fines.
Despite moves by the PCI to encourage larger retailers to demonstrate compliance with its 12-point standard, over half the world’s largest merchants are not yet compliant, which does not bode well for smaller businesses. The shortfall in compliance means that more than $200bn in consumer and business credit card transactions during 2007 will not meet the PCI DSS standard.
This leaves the industry wide open to security breaches. Fraudsters will attack the weakest link – as banks are notoriously difficult to hack into, retailers represent the next best target.
TJX Proves the Need for Vigilance
The need for action against credit card fraud has been dragged into the international spotlight when USA retailer, TJX (which owns TJ Maxx and UK outlet TK Maxx), recently suffered a theft of card details for more than 45 million customers after hackers broke into computer systems in England and the USA.
Latest reports identify the likely attack vector as an insecure WiFi connection. A recent Security Focus article stated that a vulnerable wireless connection at a Marshalls discount clothing store near St. Paul, Minn. may have allowed hi-tech attackers to gain access to the company’s computer network. Information was stolen over 16 months.
Even though this incident is one of the largest card frauds ever recorded, experts predict similar breaches to come. Security consultant and former hacker Robert Schifreen told the BBC: “45 million card details are not that hard to store. Such data would easily fit on a memory stick.”
Industry Cry for Easier Compliance
Whilst the need for action is in little doubt, merchants are asking for the bar to be lowered to make compliance easier.
Locking down systems to hackers through PCI DSS compliance is a long, involved, complex and costly process, particularly in view of the fact that hackers are targeting lots of different data. Attack methods are growing in sophistication and coming in many different forms.
Compliance problems are compounded by the fact that banks are still not accepting PCI DSS as proof of security and insist on carrying out their own on-site examination of security procedures. Card issuers also have different processes, rules and fees.
“Relaxing the rules just because adhering to them is hard is not a good option. Striving for compliance, whether it is PCI DSS or any other government or standards bodies regulation, will lessen the likelihood of hacker attacks,” said Christophe Briguet, Chief Technology Officer of Exaprotect.
“Companies need to vigorously monitor transactions and have the necessary security tools in place to detect fraudulent activity.”
Exaprotect Simplifies Compliance with ‘View and Do’ Capability
April’s Infosecurity event in London enabled Exaprotect to showcase its ground-breaking ‘View and Do’ capability. Resulting from its merger with Solsoft (the leading provider of security policy management solutions), View and Do marries Security Management Solution (SMS) and Network Security Policy together into one dashboard – enabling staff, through monitoring security events, to make policy and network changes to remediate them straight away.
“This brings about the simplification customers are looking for in security management. It enhances threat response and maximizes return on security investment. No other security management product integrates policy management and remediation in this way,” said Jean-François Dechant, Chief Executive Officer of Exaprotect.
“View and Do is a key step towards delivering a single security dashboard that integrates SIEM, policy change management and real-time remediation.”
View and Do’s official launch took place recently at InterOp, Las Vegas, USA.