Large breaches similar to Target and Neiman Marcus have already occurred during the peak December 2013 season that are still going through QIRAs by (Qualified Incident Response Assessors) and haven’t been published yet. However, they all point out to the same techniques used in the other two attacks.
Target CEO Gregg Steinhafel’s comment caused quite a commotion when he said, “We don’t know the full extent of what transpired, but what we do know is that there was malware installed on our point-of-sale registers,” Steinhafel said. The problem according to Reuters lies within the RAM scraper, or memory-parsing malware, which essentially scans the memory on a computer for unencrypted card data.
According to experts in the area, the problem is far more complicated because of the complexity of these POS environments that are difficult to keep completely secure. One way to reduce the complexity is to segment them and have continuous monitoring of that segment.
In the way of an answer to the POS system and cardholder data environment securityneeds, PCI DSS 3.0 stresses the necessity for retailers to show in detail the methods of segmentation in their network, explain how that is done, clearly show the areas of segmentation in their network diagrams, define where the cardholder data resides and prove that it doesn’t exist outside of where they say it exists.
Omega ATC can help you
Get in touch with Omega to help you with your data security and compliance needs. We have worked with mid-size to large companies who have been breached, or retailers that are in the process of addressing gaps pointed out by QSAs. We also work with retailers who have received letters from acquiring banks or card companies that need to see proof of compliance.