Over the last twenty years the number of data breaches reported in the United States alone has risen steadily, from 614 data breaches reported in 2013 to 1,579 reported in 2017. With over 930000 data breaches recorded since 2005 in total, ranging from Payment Card Information (PCI) and Personal Health Information (PHI) to trade secrets, or intellectual property, we’ve seen over 11 billion consumer records compromised. The recently formed UK Information Commissioner's Office has issued 101 enforcement notices, with 57 monetary penalties issued, and 11 prosecutions. So not only are breaches occurring too often, but authorities are now coming down hard on offenders with the full force of the applicable law.
With data creation and storage increasing year on year, the lifecycle and security management/ compliance measures associated with securely handling consumer data is stringent. As such, in this blog we will be covering the twelve key steps in achieving and maintaining compliance specifically in terms of Payment Card Industry Data Security Standards (PCI DSS), which set the minimum standard for data security to help improve the safety of consumer data and trust in the payment ecosystem.
Firewalls prevent unauthorized access by controlling the transmission of data between an organization’s trusted internal networks and untrusted external networks, the PCI DSS requires systems to use firewalls to prevent unauthorized access. If there are any other system components providing the functionality of a firewall, they too need to be included in this assessment of PCI DSS
Equipment and systems like PC’s often come with default settings for their initial set up. The default settings of many commonly used systems are well known, easily exploitable and often used by criminal hackers to compromise those systems. An attacker will almost always check to see if there is a default setting still turned on that they can use to gain access. Vendor-supplied default settings must, therefore, be changed, and unnecessary default accounts disabled or removed before any system is installed on a network.
The storing of cardholder data needs to be kept to a minimum, with data retention and disposal processes in place. Data needs to be stored securely - encryption, truncation, masking and hashing are critical components of cardholder data protection.
Strong security protocols should be in place to safeguard sensitive cardholder data during transmission over open, public networks that could easily be accessed by malicious individuals. Industry best practices must be followed to implement strong encryption for authentication and transmission. Security policies and procedures for encrypting the transmission of cardholder data must be documented and made known to all affected parties.
New viruses and malware are created all the time, and software needs to be kept up-to-date to make sure it can detect them. Antivirus software must be maintained and kept actively running, and should only be disabled if formally authorized for a specific purpose. Auditing for system vulnerabilities to determine if additional antivirus software is needed should be run regularly.
Problems or bugs that find their way into software can often lead to an attacker being able to do something that was previously not possible, as it allows them to gain access or cause disruption. Many of these security vulnerabilities can be addressed by applying the latest updates to make sure these avenues are not available to the hackers. All software applications, whether developed internally or externally, need to be in accordance with the PCI DSS and also based on industry-standards’ best practices.
Hackers exploit authorized accounts and abuse user privileges to gain access to a system. It is one of the easiest ways in for criminal hackers and also one of the most difficult types of attack to detect. Systems and processes need to be in place to limit access rights to critical data. By default ‘all access’ should be denied, and then access should only be granted as necessary. This process is known as ‘Least Privilege’ and should be implemented on the basis of a job specification’s ‘need to know’ necessity.
Following on from point 7 regarding individual access - only authorized users should be able to access systems using their own credentials (username/password). Passwords should be difficult to guess to prevent an attacker gaining access to a system that they shouldn’t be able to. The same goes for a system that is logged into by a user, but they are away from their desk - systems should log users out after a short period of time. The ability to identify individual users not only ensures that system access is limited to those with the proper authorization, it also establishes an audit trail that can be analyzed following an incident.
Physical access to systems also needs to be limited and monitored using appropriate controls. Devices that capture payment card data via direct physical interaction with the card must be protected from tampering and need to be inspected regularly.
Keeping track of, and recording what has been accessed and by whom is important for detecting, preventing and identifying when a data breach has occurred. Part of this is making sure that all records have the correct time attached to them in order to identify the proper timeline. If system usage is not logged, potential breaches cannot be identified. Secure, controlled audit trails need to be implemented and an audit trail history should be retained for inspection.
To maintain good cyber hygiene, the security of systems should be continually tested to identify any new issues or vulnerabilities that may have been introduced, potentially by a change to the system. New vulnerabilities are regularly found and exploited by hackers, so it is essential that systems are regularly tested. Internal and external network vulnerability scans need to be performed regularly and especially after any significant change in the network (e.g. new system component installations and product upgrades).
A security policy that is maintained and published must be in place to comply with PCI DSS, and businesses must have this reviewed annually, updating to stay up to date with the changing environment. A clearly defined risk assessment process needs to be in place with a formal awareness programme supporting it. Businesses should have an incident response plan so that are prepared for a system breach.
Keith Driver CTO