Settlement Details

Last month, Target reached a $10 million settlement with lawyers for victims of its 2013 data breach where thieves made off with information from 40 million credit and debit cards.

The judge chose a cap of $10,000 in damages per impacted consumer, although the burden of proof is with claimants to prove financial loss due to the breach. The settlement required Target to implement data security measures, including appointing a chief information security officer and maintaining a written information security program. The mandated security measures were not burdensome to implement (because Target had already done so), so ecommerce merchants and retailers might be wondering what the fuss is. What should be giving organizations pause is the fact that a judge is prescribing security measures at all — and reinforcing the 2009 CVS settlement precedent for government regulation.

There were multiple factors that led to Target’s data breach: third party vendors were subject to phishing attacks, network segregation was lacking, point of sale systems were exposed to memory scraping malware and detection escalation strategies by Target were insufficient.

Tangible and Intangible Costs of the Target Breach

The hard cost to Target far exceeds $10M.  In fact, the tab exceeds $250M when you look at legal fees, cyber security forensic firm fees, replacement cards and remediation costs.

But there are intangible costs as well. Retailers who experience data theft suffer a bleed of consumer trust and damage to their reputation and brand. For Target that drop in consumer confidence had a hefty price tag. The Washington Post reported that profits fell 50 percent in Q4 2013 and dropped by more than a third for all of 2013. While not a factor in this attack, retailers should also be aware that data breaches can result in intellectual property theft, which can significantly impact their competitive advantage.

Tools for Securing Data Ineffectual without Clear Detection Escalation Processes

Cyber crime continues to grow at an alarming clip. It’s clear that criminals are targeting retailers, and they are relentless in their pursuit of valuable customer data. Although screening devices can be effective at blocking malicious visitors, expert human real-time review is ideal in order to analyze the traffic that wasn’t blocked to see if there are anomalies that indicate someone is trying to attack your system or if anyone has already gained access.  

In Target’s case, the company had security products and human monitoring services in place, but the gap was that it had not sufficiently defined and practiced detection escalation and response processes. Although the breach was discovered and reported, no action was taken for eighteen days. This illustrates why a round-the-clock human monitoring service must be coupled with clearly defined incident triggers and response processes in order to shorten the mean time to detection and minimize the time until the threat is contained and resolved.

PCI Compliance Doesn’t Equal Security

PCI 3.0 went into effect in January 2014, and introduced new rules and guidelines designed to standardize security best practices for merchants and curtail damaging credit card data breaches. Because PCI DSS is constantly evolving, merchants should make it a priority to stay current.

However, we can learn from the Target breach that compliance with baseline standards isn’t enough, since records show the company passed its PCI compliance audits prior to this breach. A PCI audit’s results represent a single point in time where a merchant is shown to be compliant, but after that date, there can be system breakdowns that move a retailer out of compliance. In addition, new ways to infiltrate networks and systems are identified faster than compliance guidelines can be updated, all reasons why compliance with the PCI DSS requirements does not necessarily equal effective information security.

Strategies for Protecting Data

PCI strongly encourages merchants to implement network segmentation by using firewalls to protect their card data systems from unrelated and non PCI-complaint servers and workstations. However, ineffective segmentation can lead to a false sense of security and inaccurate scoping. A call recording system, where customers may give their credit card numbers over the phone to an operator or complaint resolution agent, is an example of a system that might be considered out of scope by a merchant, but should be included if it stores, processes, or transmits credit card data.

To help avoid incomplete scoping, retailers should use data discovery scans to find credit card information in places where they might not expect it, at least on an annual basis, though more often is preferred.

Keep an eye out for shared access credentials, which is another real threat for companies using network segmentation. This played a pivotal role in Target’s breach where the hackers used stolen credentials from a third party HVAC vendor to gain access into the retailer’s networks via a remote access solution that allowed the use of the same stolen credentials.

Takeaways for Vulnerable Entry Points

Wireless Networks: Stay current with PCI requirements for wireless networks to immediately detect and shut down unauthorized Wi-Fi access points. In addition, merchants should make sure they are using the most current encryption protocols and using robust access controls to restrict who can access all Wi-Fi networks that could grant access to the cardholder data environment.

Third Party Access: Identify, inventory, and protect, using two factor authentication, all links to third parties, including supply-chain vendors, ecosystem partners and any contractors with network access. It’s also important that internal systems that are handled by vendors are not using vendor default passwords. This is a common vulnerability that leads to system or data compromise. To avoid confusion between merchants and vendors, it’s important to have clear contractual language that outlines what elements of PCI security each party is responsible for in terms of compliance and liability.

POS Terminals: Periodic physical inspections of POS terminals are essential to ensure no tampering or addition of skimming devices has occurred.

Ecommerce Websites: Merchants should consider moving away from SSL as soon as possible to the newer and more secure Transport Layer Security (TLS) protocol. Last year’s Heartbleed attacks exploited vulnerabilities in SSL technology, and we now know it should no longer be considered a secure way to encrypt sensitive data. The PCI Security Standards Council has indicated it will release an update soon, requiring merchants to move from SSL to TLS.

Employee Facing Access Points: These represent additional vectors of potential compromise, and could include VPN, intranets and wireless networks. If a company has employed network segmentation properly, these should be restricted from accessing the card data environment, which means that an attacker would not be able to log in via these access capabilities and gain access to the credit card network.  Companies should test remote access solutions annually via a penetration test to ensure that they are configured properly.

Upgrade Credit Card Payment Options

Beyond PCI DSS compliance, the retail industry should recognize that it’s in the best interest to proactively seek more secure solutions for customers’ data. This should include revisiting credit card payment systems and adding one or more of the following credit card payment options:

Point to Point Encryption (P2PE): With a P2PE approach, account data is encrypted directly at the point of capture (on the POS terminal itself, for example) and remains protected as it flows through the merchant’s systems and moves through the payment chain to the acquiring bank.  In this model, the merchant doesn’t typically have access to the actual credit card information, and it’s not stored in the merchant’s environment, which means that if a merchant doesn’t have it, it can’t be compromised. 

Tokenization: Eliminating payment data from your network is a good way to help ensure that your customer’s sensitive payment information is safe. By storing just a representative token in lieu of the 15 or16 digit credit card number, any data that is hacked through merchant or retail systems is essentially useless.

Chip and PIN: This form of EMV-enabled card authentication involves both card number validation via the chip and authentication of the user via PIN (or signature, in the US), to provide stronger protection against consumer-level attacks such as fraudulent use of lost or stolen cards, counterfeit cards and skimming, but is only effective for card-present transactions.

 

Looking Ahead to Holistic Security

If merchants don’t want judges dictating security measures and monetary awards when breaches occur, they will need to redouble security efforts and educate stakeholders within their companies on why PCI compliance is an insufficient end goal. Companies will be more secure when they commit to performing organization-wide risk management activities, including accurate PCI scoping, on a regular basis to identify threats and vulnerabilities, rather than simply implementing what is mandated.

Merchant and Retailer Resources

If your organization doesn’t have a large security team, don’t despair, the PCI Security Standards Council’s website for small and medium-sized businesses provides many resources to help smaller merchants achieve compliance.

LBMC Security & Risk Services specializes in health care IT security.

 

Favorite