Tag Archives: pci

[ISN] The 10 Biggest Bank Card Hacks

http://www.wired.com/2014/12/top-ten-card-breaches/ By Kim Zetter Threat Level Wired.com 12.02.14 The holiday buying season is upon us once again. Another event that has arrived along with the buying season is the season of big box retailer data breaches. A year ago, the Target breach made national headlines, followed shortly thereafter by a breach at Home Depot. Both breaches got a lot of attention, primarily because the number of bank cards affected was so high—more than 70 million debit and credit card numbers exposed in the case of Target and 56 million exposed at Home Depot. Luckily, very little fraudulent activity occurred on the stolen card numbers, primarily because the breaches were caught fairly soon, making them relatively minor incidents in the scheme of things, compared with other breaches that have occurred over the years that resulted in losses of millions of dollars. The Target breach was notable for one other reason, however: when it came to security, the company did many things right, such as encrypting its card data and installing a multi-million-dollar state-of-the-art monitoring system not long before the breach occurred. But although the system worked exactly as designed, detecting and alerting workers when it appeared that sensitive data was being exfiltrated from its network, workers failed to act on these alerts to prevent data from being stolen. Below, we look back on a decade of notable breaches, many of which happened despite the establishment of Payment Card Industry security standards that are supposed to protect cardholder data and lessen the chance that it will be stolen or be useful to criminals even when it’s nabbed. The PCI security standard (.pdf) which went into effect in 2005, is a list of requirements — such as installing a firewall and anti-virus software, changing vendor default passwords, encrypting data in transit (but only if it crosses a public network) — that companies processing credit or debit card payments are required by card companies to have in place. Companies are required to obtain regular third-party security audits from an approved assessor to certify ongoing compliance. But nearly every company that was victim to a card breach was certified as compliant to the PCI security standard at the time of the breach, only to be found noncompliant in a post-breach assessment. […]




Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Incoming PCI council head ready to take on the hackers

http://www.csoonline.com/article/2838369/data-protection/incoming-pci-council-head-ready-to-take-on-the-hackers.html By Taylor Armerding CSO Oct 27, 2014 Stephen W. Orfei is the incoming general manager of the PCI Security Standards Council. He succeeds the council’s first general manager, Bob Russo, who will retire at the end of 2014. Orfei has decades of experience in payment technology, including 13 years in telecom with MCI International as director of international business marketing, and14 years in payments with MasterCard Worldwide, the last three as senior vice president of emerging payments platform, advanced technology. Earlier this month, Orfei applauded President Obama’s executive order requiring federal agencies to adopt EMV (chip and PIN) technology for government payment cards and for point-of-sale terminals at federal facilities. In a statement, Orfei called EMV a “critical layer in any payment security strategy,” but added that, “it is not by itself a silver bullet for data protection,” since it does not stop malware or card-not-present attacks. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Retailers warned to act now to protect against Backoff malware

http://www.computerworld.com/article/2599724/data-security/retailers-warned-to-act-now-to-protect-against-backoff-malware.html By Jaikumar Vijayan Computerworld Aug 27, 2014 The Payment Card Industry Security Standards Council on Wednesday issued a bulletin urging retailers to immediately review their security controls to ensure point-of-sale systems are protected against “Backoff,” a malware tool that was used in the massive data theft at retailer Target last year. The bulletin instructed all covered entities to update their antivirus suites and to change default and staff passwords controlling access to key payment systems and applications. The council, which is responsible for administering the PCI security standard, also urged merchants to inspect system logs for strange or unexplained activity, especially those involving transfers of large data sets to unknown locations. “The PCI Council additionally recommends that merchants consider implementing PCI-approved point-of-interaction (POI) devices” for encrypting credit and debit card data as the card is swiped or dipped into a payment terminal. Merchants should also consider deploying point-to-point encryption technologies to ensure that card data remains protected until received by a secure decryption facility, the advisory noted. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] How healthcare can learn from retail’s IT security mistakes

http://healthitsecurity.com/2014/07/24/how-healthcare-can-learn-from-retails-it-security-mistakes/ By Patrick Ouellette Health IT Security July 24, 2014 There’s little doubt the healthcare industry’s perception of security and compliance has changed to a serious one within the past few years. While regulatory demands and business needs are certainly strong drivers, what should healthcare organizations be focusing on as cybersecurity threats grow in stature? Eric Cowperthwaite of Core Security and former CISO for Providence Health discussed with HealthITSecurity.com how identifying risks early on can help reduce exposures. The days of organizations that put effort into IT security being only large hospital systems and other organizations that had some sort of significant problem are certainly over. According to Cowperthwaite, there are a few indicators within the past 12-18 months that leads him to believe healthcare organizations, large and small, across the country are focusing on information security. “First is the amount of information security leaders hiring that’s being done,” he said. “And the second piece of it is the number of organizations that are sending their people to [security] conferences and training to help them interact with products and services providers.” Many of these changes have been driven by regulatory compliance, such as HIPAA, HITECH and Meaningful Use, but Cowperthwaite said there are other regulatory considerations, such as any hospital system being a tier 1 PCI merchant. Beyond compliance, the reality these days is that these organizations have a lot of data and there a lot of “bad actors” out there who like to steal data. There are main areas of focus that organizations should be beginning to worry about. First, Cowperthwaite said, though everyone is concerned about PHI disclosures because of bad publicity and potential fines, the other side of PHI disclosures is medical insurance fraud. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Ram Scraper Malware: Why PCI DSS Can’t Fix Retail

http://www.darkreading.com/attacks-breaches/ram-scraper-malware-why-pci-dss-cant-fix-retail/a/d-id/1297501 By Brian Riley Dark Reading 7/23/2014 There is a gaping hole in the pre-eminent industry security standard aimed at protecting customers, credit card and personal data Target, Neiman Marcus, Michael’s, and possibly P.F. Chang’s all have one thing in common: They are recent victims of a type of malware called a RAM scraper that infects point of sale (POS) terminals. These data breaches occurred despite some, if not all, of these merchants complying with industry security standards. In Target’s case, government analysts estimate the total financial impact could reach as high as $12.2 billion. And the fallout continues. Target’s CEO Gregg Steinhafel set a new precedent, marking the first time that the head of a major corporation resigned due to a data breach. Merchants clearly must go beyond merely complying with industry security standards to reduce their risk, especially in relation to POS terminal malware. Why PCI DSS does not apply As you undoubtedly know, point of sale (POS) terminals are computers with card readers. Most computers have permanent storage, such as hard drives or flash memory, and temporary storage, such as random access memory (RAM). The security standard that dictates how payment card data is protected is called the Payment Card Industry Data Security Standard (PCI DSS). It requires merchants to encrypt credit card data residing on permanent storage or traversing its publicly accessible networks, but not while being processed in RAM. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Don’t Waste Your Money: Are you staying at a hacker-friendly hotel?

http://wtkr.com/2014/07/08/dont-waste-your-money-are-you-staying-at-a-hacker-friendly-hotel/ By Doris Taylor WTKR.com July 8, 2014 As the travel season heats up, Consumer Reports cautions that some popular hotel and motel chains could be vulnerable to hackers because of weak security systems. The major credit-card companies require businesses to have standard data protections if they want to accept credit and debit cards. It’s called being PCI compliant. But Consumer Reports found that a number of hotels may not be. At a Super 8 motel in New York, the manager said he “had not heard” about PCI compliance. An assistant general manager at a Red Lion in California also said, “I never heard of this.” Similarly, a manager at an America’s Best Value in Washington state said, “I have no idea” about PCI compliance. In the past, hackers have taken advantage of weak security at hotels. For instance, there were three documented data breaches at properties of Wyndham Worldwide several years ago. According to a complaint by the Federal Trade Commission, “security failures” at Wyndham Worldwide led to more than $10 million in unauthorized charges. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] LifeLock snaps shut Wallet mobile app over credit card leak fears

http://www.theregister.co.uk/2014/05/19/lifelock_yanks_mobile_app/ By John Leyden The Register 19 May 2014 LifeLock has withdrawn its Wallet App and deleted user data over concerns the technology falls short of user data protection rules under the payment card industry’s Data Security Standard (PCI DSS). In a statement Todd Davis, chairman and chief exec of LifeLock, said it was suspending the app as a precaution – not in response to a security breach. Yanking the mobile app will not affect the LifeLock ID theft protection service, which is designed to detect fraudulent abuse of credit card and non-credit related services, the firm assured customers. Nonetheless, taking the drastic step of pulling its mobile technology is bound to raise concerns – especially since LifeLocker has yet to explain why its mobile apps were not up to snuff. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Chicago’s Trustwave sued over Target data breach

http://www.chicagobusiness.com/article/20140325/BLOGS11/140329865 By John Pletz On Technology Crains Chicago Business March 25, 2014 Trustwave Holdings Inc., a Chicago-based credit card security company, was sued alongside Target Corp. by banks who say they suffered financial damages when the retailer was hacked during the holiday shopping season. Although the most serious allegations are leveled at Target, the suit alleges that Trustwave failed to identify deficiencies in the retailer’s IT systems. Trustwave’s software audits companies’ IT systems to make sure they comply with credit card security regulations. The lawsuit is a blow to Trustwave, which according to the complaint says it has “performed more Payment Card Industry Data Security Standard (PCI DSS) Certifications than all other companies combined.” It’s also the first time the company, which keeps a low profile and is loath to discuss its customers, has been publicly connected to the Target breach. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail