In 2004, the Payment Card Industry Data Security Standard (PCI DSS) became a fact of life for organizations that accept payment via credit or debit cards. In that year, the leading card issuers rolled out the first iteration of its security standard, designed to improve protection of payment systems as credit card data became a prime target for cyberattackers. Today, even as organizations have entire teams dedicated to PCI compliance, one consumer business after another—including Macy’s, Adidas, Panera Bread and Chili’s—have been breached, resulting in exposure of cardholder data.
Here Comes Santa Claus—Are Organizations Ready?
With the Black Friday, Cyber Monday and holiday shopping season upon us again, Deloitte predicts that e-commerce will grow by 17% to 22% over last year. Whether we will also see an uptick in payment data breaches will depend in part on how PCI-compliant retailers and other B2C businesses are.
GoAnywhere, a provider of managed file transfer services, found earlier this year that since 2012, there had been a 167% increase in PCI-DSS compliance, but that 80% of companies were still not compliant. Payment card and cardholder data continues to be a staple of cyber underground commerce, with a single data record selling for anywhere between US$7.00 and $35.00. Financially-motivated cybercriminals still have plenty of incentive to steal it.
How Prevalent are Cardholder Data Breaches?
According to the 2018 Trustwave Global Security Report, the three sectors most dependent on card payments—retail, hospitality and food and beverage—were three out of the top four victims in 2017, together racking up 38% of the total number of data breaches last year. Of the data that was compromised, Verizon’s 2018 Data Breach Investigations Report indicates that in retail, 73% was payment data; in accommodation and food services, it was 93%.
PCI compliance mandates remain critical for enforcing a baseline security standard—and as is the case with every security standard, it is just that: a baseline that will always be somewhat behind evolving cyberthreats as attackers find new ways to be successful.
For example, Verizon noted (page 45 of the same report) that attackers are using input validation weaknesses and stolen credentials to attack web applications. “Once the device is compromised, we often see code modifications in the payment application designed to capture payment card data…. Essentially the criminals are turning a PCI-compliant application that does not store payment card data into a very non-PCI-compliant and criminal-controlled data harvester.” In other words, PCI compliance is a point-in-time status and does not guarantee security.
PCI and the Challenge to Get Ahead of Cyberthreats
It is also important that organizations maintain a broad horizon on how adversaries could cause damage, and be as prepared as possible. After all, some cyberattackers want more than credit card data. According to Glen Jones, Senior Director of Identity and Risk Products at Visa, one of the most important trends is that cybercriminals are reusing tactics, such as spear phishing, specific malware, targeted vulnerabilities, and preferred infrastructure (2). By gaining a foothold in the network, they can compromise payment applications, gain login credentials, and work towards other nefarious goals—undetected.
Point-of-sale systems can be footholds for moving laterally to attack other assets ranging from business plans, supply-chain data, and proprietary formulas to specialized manufacturing processes. A PCI-focused approach to protecting payment card data and a wider security program to defend the full scope of an organization's crown jewels—both are imperative.
Easing the Cyber Risk and Regulatory Juggling Act
Compliance efforts must be harmonized with security efforts aimed at reducing overall enterprise risk. But this is easier said than done when regulatory obligations consume so much attention and SOC teams continue to face staff shortages. A recent Ponemon survey, sponsored by Illusive, indicates that the top obstacle to better cyberthreat detection is that compliance efforts detract attention from threat detection functions. Security vendors need to help resolve this apparent conflict.
Illusive Networks is committed to helping our customers both achieve compliance and stop high-impact attacks as threat evolve. Coalfire recently completed a multi-faceted technical validation showing how Illusive can help organizations meet specific PCI DSS requirements. Illusive’s deception-based platform also addresses the broader range of cyber risk by stopping the lateral movement of attackers toward critical systems once they’re inside the network. Illusive’s Attack Surface Manager preemptively identifies and removes credentials and connections that aid the lateral movement process. And because retailers, hotel companies and restaurant chains are in the business of serving their customers—not the business of cybersecurity—Illusive designs solutions that are lightweight, easy to deploy, use and manage, and that empower defenders at all skill levels.
PCI compliance requirements are a starting point for cybersecurity strategies. Learn more about how Illusive not only maps to the PCI DSS framework but also can significantly reduce organizational risk. Download the Coalfire assessment, How Illusive Networks Technology Supports PCI DSS Standards: A Technical White Paper here.
1. The Black Market Report, Armor Threat Resistance Unit, 2018 (https://www.armor.com/reports/black-market-report/)
2. Breach Trends and Tips from VISA Threat Intelligence Exec Glen Jones, SecurityWeek, Sept. 13, 2018