Monday, December 23, 2013

A Target-ed Compromise

The media alerted consumers after learning that credit card information used to make purchases made at Target stores in the United States between November 27 and December 15 had been compromised.  Target is in the early stages of investigation so details are not being made public related to how the data was retrieved.

Certainly this is not the first time consumer data has been stolen from consumers or retailers collecting data.  In 2007, it was announced that throughout a 18 month period 90 million credit card records were funneled out of TJ Maxx stores.  The fundamental issue for TJ Maxx was insecure wireless connections used to transfer credit card data.  In September of 2012, Barnes & Noble discovered that hackers had tampered with one credit card pin pad in 63 stores.  The hackers at Barnes & Noble were able to capture credit card information from the altered credit card machine in each store.

In both cases consumers had no way to protect their data.  The credit card industry has worked to protect consumer confidence by instituting protections that retailers must follow to protect information.  Those protections are set forth by the Payment Card Industry (PCI) in the Data Security Standard (DSS).  PCI DSS standards are mandatory controls that apply to how cardholder information must be handled. It is there to protect consumers' information.

Beginning January 1, 2014, an enhanced version of security requirements will be implemented for any retailer accepting credit cards.  The new requirements in version 3 of PCI DSS  include changes that can be categorized as: (1) clarification of an existing requirement,  (2) additional guidance of an existing requirement and (3) an "evolving" requirement (think of this as a newly determined requirement).

Given the state of the Target breach, many consumers may be interested in the enhanced PCI DSS standards to see how the new requirements will provide better protection to consumers. 

According to an article in the Information Security Magazine the specific new requirements in PCI DSS include:
  • Req. 5.1.2 - evaluate evolving malware threats for any systems not considered to be commonly affected.
Malware is a major area of change.  Merchants are required to identify and prevent malware threats for any connected system, even if it typically is not a target of malware.   Additionally, merchants must ensure that anti-malware and anti-virus software do not allow the end user to disable the protections. 
  • Req. 8.2.3 - combined minimum password complexity and strength requirements into one, and increased flexibility for alternatives. 
Passwords must be complex.  Smart. 
  • Req. 8.5.1 - for service providers with remote access to customer premises, use unique authentication credentials for each customer.
  • Req. 8.6 - where other authentication mechanisms are used (for example, physical or logical security tokens, smart cards, certificates, etc.) these must be linked to an individual account and ensure only the intended user can gain access.
  • Req. 12.8.5 - maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity
  • Req. 12.9 - for service providers, provide the written, agreement/acknowledgment to their customers as specified at requirement 12.8.2
Merchants often work with vendors to manage their PCI compliance and credit card systems.  Those credit card vendors work with many merchants.  In the past at least one vendor used the same password to interact with multiple merchants.  If that one password was compromised, all merchants were vulnerable.  The new standard requires all vendors to use unique passwords with each merchant.  
  • Req. 9.3 - control physical access to sensitive areas for onsite personnel, including a process to authorize access, and revoke access immediately upon termination
  • Req. 9.9 - protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution 
 Physical protections to point of sale equipment requirements now including controls on which personnel can access card equipment and physical protection of credit card hardware to protect against tampering and substitution.  Looks like the Barnes & Noble breach impacted this requirement.
  • Req. 11.3 and 11.3.4 - implement a methodology for penetration testing; if segmentation is used to isolate the cardholder data environment from other networks, perform penetration tests to verify that the segmentation methods are operational and effective 
The enhanced requirement for penetration testing will improve.  Penetration testing involves testing a computer system, network or application to find vulnerabilities that an attacker could exploit.  A new penetration methodology must be followed (reference NIST SP 800-115 for more information).  In addition, card holder data must be segmented from other areas of a network for greater protection.
  • Req. 11.5.1 - implement a process to respond to any alerts generated by the change-detection mechanism
This requirement may have caught changes to pin pads at Barnes & Noble had they been implemented prior to the Barnes & Noble hack. 


Another change to the new standard is that the requirements require constant monitoring where version 2 required an analysis to be completed one time a year. The Payment Card Industry is clearly learning from mistakes that retailers and merchants have made (or discovered) in the past. 




References:
http://www.reuters.com/article/2012/10/24/us-barnesnoble-breach-idUSBRE89N05L20121024http://searchsecurity.techtarget.com/tip/PCI-DSS-version-30-The-five-most-important-changes-for-merchants

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)