Potential Credit Card Data Breach Investigated
Over the last several years, the credit card industry has tightened the rules on how merchants and processors must secure credit card data, but the security measures themselves may no longer be effective to prevent a data breach. The rules describe how organizations that handle credit card data must encrypt and secure it, and they impose stiff fines for any lapses in implementing the specified measures. Yet major breaches keep taking place, even when organizations are in full compliance with the rules.
According to a Computer World article on the Payment Card Industry Data Security Standard (PCI DSS), these measures may no longer be enough. ComputerWorld quotes Anup Ghosh of Invincea, a browser security company, as saying that today's threats target employees and not secure systems. He says, "It is not very hard in phishing campaigns, to get employees to open an email or click on a link, which then provides access to their desktop and the privileges that come with it." When the data breach happens through employees, encryption-based systems are not effective. You have to secure the employee environment so that when a threat compromises the desktop, it doesn't result in a data breach. Instead, you can gather information about the threat.
The PCI DSS specifies that merchants and processors have to encrypt credit card data when it is transferred through the Internet. When they keep the data in physical locations, it must be stored securely. Typical privacy rules govern physical access to the data, secure logins for accessing databases where the data is stored, effective access restrictions, access controls, and secure data destruction. The credit card industry standard adds rules specific to the acceptance and processing of credit card numbers. They specify the procedures to follow to identify breaches and who to notify when they occur. The system was designed to secure cardholder data in general and credit card numbers in particular.
The present investigation is looking into a massive breach involving up to 10 million cards. The focus at the moment is identifying cardholders whose data has been accessed and notifying them and the proper authorities. The financial institution involved are analyzing potentially fraudulent transactions. The part of the system that alerts merchants and processors of a breach, the audit sections, and the compliance with reporting are working well. The prevention part is not and is reduced to raising alarms after the fact.
The investigation will determine whether the breach was due to a failure in implementing existing rules or whether the threat targeted employees or other human factors. Gosh believes the data probably was encrypted and that the organizations involved complied with the applicable standards. Should that prove to be the case, the credit card industry has to look at expanding the rules to ensure that compliance results in fewer breaches such as this one.
This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet.