Here’s a list of 24 recognizable names we picked to highlight the range of industries and spaces affected thus far by data breaches in 2016. View the larger list.
|TD Bank||Sageworks, Inc|
|Wells Fargo ATMs||Washington Redskins|
|HSBC Bank USA, N.A||Hard Rock Hotel & Casino, Las Vegas|
|Millennium Hotels & Resorts||Tumblr|
|Toyota Motor Credit Corporation||Myspace|
|Eddie Bauer||Noodles & Company|
|7-Eleven, Inc.||O’Charley’s Restaurants|
|Oracle – MICROS||American Dental Association|
|Academy of Nutrition and Dietetics||Spotify|
|Omno Hotels and Resorts||Capella University|
|Bucknell University||Stanford University/Equifax W-2 Express|
|University of California, Berkeley|
Enough has been said by now about the staggering statistics on breaches. The only thing that really matters is if we are taking the recommended measures to thwart them.
What are we doing to counter these breaches?
Only two words are relevant: ‘Data Security’. If companies approach everything they do in their card data and network environment with ‘Data Security’ in mind, they would have taken care of a majority of the preventative measures to avoid breaches.
Think about data security while doing the following:
1. What are you opening up and giving free passage to when connecting to or from,
- Your corporate network
- Your home network
- Your local Starbucks or Barnes & Noble
- An airport Wi-Fi
- A hotel/Guest Wi-Fi
- Purposeful monitoring.
– Monitoring does not serve the purpose of data security unless they are tracked and recorded.
- What are you monitoring?
– Access to network resources and cardholder data.
– PCI DSS and/or PA DSS compliance of service providers who access cardholder data
– Security controls like firewall, intrusion-detection/prevention systems, file integrity, antivirus, anti-malware, access controls to make sure they are working effectively.
– Physical access activities to keep people from entering restricted areas.
- Of what use is monitoring if activities are not tracked and logged?
- What are you logging?
– Events – systems alerts and notifications.
– Activities – the types of actions taken by an individual in the card data environment.
– Invalid logical access attempts, privileged access, any turning on and off of the audit logs.
- Why is this needed?
– The audit trails show how many attempts were made to log in.
PCI DSS states: Malicious software such as malware, often creates or replaces system level objects on the target system in order to control a particular function or operation on that system. Logging will help determine whether such modifications were authorized.
- Data security begins with this basic precaution called scanning.
- What are you scanning?
– Scanning is done to check for weak points in the external and internal network, i.e. on devices and servers inside the firewall, on systems and servers outside the firewall.
- Why are you scanning?
– To be sure that the weak points if discovered cannot be cracked open to get into the network.
– If there are vulnerabilities they need to be fixed, and the network re-scanned to confirm they are fixed so they cannot be exploited.
- Repeat scans every quarter.
– This ensures that if any significant changes are made to the card data and network environment, there are no security loopholes that could result in a data compromise.
5. Scanning for unauthorized wireless access points
- This spots activities of malicious individuals trying to gain access to the CDE.
So who is verifying and validating if an organization has initiated, is practicing, and maintaining these data security measures?
In the interest of customers and retailers, the Payment Card Industry (PCI) Council has come up with well thought out standards for data security. These standards are verified and validated through a Self-Assessment Questionnaire (SAQ), or by a Qualified Security Assessor (QSA) for merchant Levels 1 and 2. Level 2 merchants may also go through an SAQ.
PCI v3.2 has raised standards for all merchant levels. Many requirements are now mandatory. Such as,
- Internal vulnerability scanning for all merchant levels.
- Roles and responsibilities matrix for retailers and service providers to easily delineate work and encourage accountability.
- PCI DSS or PA-DSS certification for service providers.
- Vendor management program.
- Detailed policies and procedures.
- Detailed documentation and evidence anywhere they are applicable.
Omega ATC recently went through the Managed Security Services Provider QSA audit for 2016. Besides the above points, the areas of particular focus were on risk assessment, change control management, logical access control, and incident response plan.
Retailers: the mantra is, take the precaution. Build the expense of data security into your budget. Organizations have gone past the need to convince management of this expense. They are on board and understand the urgency. Customers trust you. There is no better ROI than saving your customers’ data.
Tell us what you need.
- Security solutions and services?
- Implement data security measures in the entire organization with no changes to your stores?
- Professional services to advise you on how to implement each of the 400+ controls?
- Data Security Strategists to help you with policies, procedures, and documentation?
- Guidance on making sure all areas of data security are covered?
- Collection of evidences to support your QSA audit?
- Recovery from a breach?