Retailers are facing a tough scenario right now especially in the face of the several large breaches that have happened recently to high profile retailers. We read variations of these breach stories with something new about why they happened, every day. What probably strikes readers most are the financial hits on these giants by way of penalties, charge backs, payments to customers for their losses, FBI involvement, lawsuits, and so on.
Target, Neiman Marcus and Michael’s most likely have top notch data security in place. They have probably also passed their PCI Compliance audits every year for several years. No business is hacker-proof. There are two types of breaches occurring. The first type is highly sophisticated, requiring considerable planning and patience. The second type of breach experienced by smaller retailers is the opportunistic breach because of weak security. The less protected retailers need to be on guard as well.
What should retailers do?
You may already have security solutions to protect your card data environment (CDE). You are probably assured by third party vendors that their services are PCI compliant. However, start by verifying and answering these questions truthfully.
Does your solution:
- Monitor all front and back end PC’s, POS devices, DVR PC’s, printers, routers, and firewalls?
- Detect security vulnerabilities, potential data leaks, unauthorized access attempts, and unknown software installs through external IP scanning?
- Perform internal scans to detect which machines and systems need security updates and maintain a constant inventory of your hardware and software?
- Are these external and internal scans repeated at the very least on a quarterly basis?
- Automatically apply missing patches?
- Is every patch session logged and are those logs kept for 365 days?
- Offer an integrated anti-virus and anti-spyware that automatically updates malware protection across all stores?
- Are logs of these activities maintained for 365 days?
- Generate all event and activity logs?
- Are these logs stored for 365 days?
- Provide an integrated secure remote control that is PCI Compliant?
- Are all these remote sessions automatically logged and saved for 365 days?
- Scan the CDE?
- Are the scans maintained for 365 days?
- Capture the logs from firewalls
- Are they saved for 365 days?
- Offer File Integrity monitoring
- Are those logs stored for 365 days?
- Offer wireless intrusion prevention and
- Are those quarterly scans stored for 365 days?
- Generate all the evidence needed for an audit? (Qualified Security Assessor’s audit)
Even if any one or two of the above are missing, you might want to address them now. With the new PCI DSS 3.0, the above twelve points are going to be mandates starting January 1, 2015. There are also 100 additional controls that need to be validated and verified by an auditor. At this point retailers have a year. But the work should start now as it takes time to have all elements of data security in place. If Level 2 merchants receive a letter to show proof of compliance the process of addressing gaps could take up to 6 months in some cases to get everything completed for an audit.
A business might never get breached. The above measures if done correctly will make it difficult for a breach to occur. However, waiting for a breach to strike and then addressing the issues can be very expensive.
Work with us
If you want to become compliant, we are here to help you. Omega ATC has experience working with Level 2 merchants in assisting with QSA audits, helping them achieve PCI compliance after a breach experience, assisting merchants address all gaps after they receive a letter from an acquiring bank or a card brand, or just methodically working with a proactive retailer to meet all data security and PCI compliance mandates.
Call us anytime at 636-557-7777 or get in touch with specific requests.