Site icon

Three Examples of PCI DSS Non-Compliance and What You Can Learn from Them

PCI DSS feaured

The public and private sectors have been increasingly under assault by hackers looking to take information–whether for espionage, blackmail, or profit. And while some of the past few years’ high-profile government and industrial attacks have been at the center of many cybersecurity stories, the reality is that hacks in the retail and consumer spaces have been incredibly impactful.

In fact, some of the largest data breaches have been due, in part, to a lack of compliance with PCI DSS standards… and this presents a major challenge for merchants and payment processors who want to protect their customers’ information. 

Here, we’ll cover three major security breaches related to PCI DSS compliance and what you can learn from them.

 

PCI DSS Through the Past Decade

With the publication of the latest PCI DSS 4.0 standards, the Payment Card Industry (represented by major payment providers like Visa, Mastercard, American Express, Discover, and other processors) continues its attempts to develop security practices that meet the challenges of modern commerce. 

Some of these challenges include:

These all play a smaller or larger role in prevalent hacks, and as such new PCI DSS standards have attempted to address these attacks with updated requirements.

However, no requirement can mitigate mistakes. Some of the largest companies in the world have made such mistakes, and it’s cost them.

 

Target and Listening to Your Security Tools

In 2013, Target experienced a massive breach of its databases, affecting roughly 110 million customers. These customers had their names, mailing addresses, email addresses, and credit and debit card information stolen or compromised–the hackers made off with over 11 gigabytes of data. 

So, what went wrong? Target and security experts reported to main causes: social engineering in the supply chain and a failure to monitor security alerts.

What We Can Learn: Third-party security is a necessary part of security and compliance, and an attack from a trusted vendor network can come from literally any vendor. Furthermore, even if your company meets compliance requirements, they are completely useless if you aren’t operating them properly and within the guidelines of PCI DSS. In this case, that includes paying attention to alerts, scanning systems, and performing regular system security and security tool effectiveness audits.

 

Heartland Payment Systems and Going Beyond PCI DSS

Heartland Payment Systems announced in 2009 that they had been a victim of a data breach that had occurred the previous year. This was the largest data breach known to date, with an estimated 100 million cards stolen and 650 connected financial services compromised. Hackers were able to take the information, which included information from magnetic stripes and create fake cards that they could sell online. 

Heartland’s security, technically, was PCI-compliant… but only barely. By some means, the engineering teams involved in developing secure systems for the company could implement compliant technology that didn’t necessarily cover the security needs they faced. Subsequently, hackers could use a SQL injection to install malware that went undetected for nearly a year. 

What We Can Learn: Compliance “by the letter of the law” isn’t always sufficient. Following this idea, it’s critical to understand PCI DSS as a guideline from which to start. That proper security may only come when you can integrate PCI requirements into your specific business use cases. 

 

Equifax, Patches, and Network Security

Sometimes, security incidents come in the gaps when security experts don’t yet know vulnerabilities exist. Unfortunately, this gap can stay open for months or years if companies do not take the right steps to patch their software. 

This was the case for Equifax. The credit reporting service was the victim of a hack in 2017 that originated from a bug in the Apache Struts software (CVE-2017-5638). After an investigation of the hack, it became apparent that a lack of system hardening, data obfuscation for information at rest, and regular and emergency software update and patch maintenance led to a massive breach that affected 143 million consumers, their personal information (including Social Security Numbers) and credit card numbers.

What We Can Learn: Minimize system exposure by using zero-trust architecture wherever possible, isolating networks that carry account information and requiring strict role-based authentication for access across any relevant resource. Encrypt account information and never store clear-text credit card information. And always, always patch critical vulnerabilities, especially those associated with common server or infrastructure apps like Apache.

 

Meet PCI DSS Requirements and More with Continuum GRC

Compliance is one thing, but security as a best practice requires you to know the resources that contain and process credit card information. That’s why it is critical to use a system that helps automate the letter of the law of PCI DSS compliance, while providing support for the ongoing maintenance and risk assessments that make real security possible. 

Continuum GRC is cloud-based, always available and plugged into our team of experts. We provide risk management and compliance support for every major regulation and compliance framework on the market, including:

And more. We are also the only FedRAMP and StateRAMP authorized compliance and risk management solution in the world.

Continuum GRC is a proactive cyber security®, and the only FedRAMP and StateRAMP Authorized cybersecurity audit platform in the world. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.

[wpforms id=”43885″]

Exit mobile version