This action might not be possible to undo. Are you sure you want to continue?
you know who to call. Paying customers are hard to find so when you have their data. Some old data contains personally identifiable information— such as Social Security or credit card numbers—that previously were used as customer identifiers. old customer data also is a risk. Take a look at those old servers. The lesson here is simple: If you’ve got old. banking. If any of this data is compromised. location or erase it entirely. Write to him at wilson@darkreading. I have clothes I wore in junior high. There have been many instances of hackers or researchers exposing sensitive data on old hard drives. but they hardly ever talk about disposing of old data that’s no longer in use. Our webcast will help you get ahead of holiday hackers by taking some proactive steps. I have my toy soldiers. 8. But in yours. encrypted Tim Wilson is editor of DarkReading. I’ll just pull it out. buyer analysis. Not only can it be used or resold for nefarious purposes. it puts you at risk for a major breach and becoming the next headline.com. applications. Why do people save this stuff? Because you never know when you’re going to need it. forcing it to disclose the breach to the authorities. In my neighborhood. a lot of businesses behave this way. but compromised customer data will make your company look bad. Businesses are loath to throw away data— particularly customer data. However. incurring additional penalties and even the revocation of your credit card processing privileges. Register darkreading. If I ever need 10 boxes of 9-by-12 envelopes.com November 2012 2 . In many ways. They hang on to old and moldy data. even those sent to a recycler. Avoid The Holiday Blues The holiday season is one of the favorite times of the year for online criminals. TIM WILSON Security people talk constantly about ways to store and use live data safely. and databases: You may find there’s plenty of information there that you can do without. thinking someday they’ll mine it for sales leads. or other business intelligence. Unfortunately. I still have notes from stories I wrote in the 1990s.com. sensitive data. I save everything. you don’t let it go easily. If floppy disks come back. store it in a secure.Previous Next DARK DOMINION The High Stakes Of Data Hoarding I admit it: I’m a pack rat. and that’s bad news. And some old data may be stored on servers or in applications that your company has forgotten about and isn’t protecting. In other instances. I’ve got ‘em. The Real Risk Such data is a treasure trove for hackers and political activists. Such records can contain credit card. being a pack rat makes me quirky and colorful. It happens Nov. it would mean a major breach for your company. cybercriminals have dug through old customer lists or databases and harvested enough data to penetrate a company’s more current information systems. end-of-life data security issues can be as serious as those surrounding newly created data. If I ever need a directory of security vendors from 2009. Old customer data is sometimes stored in applications or on servers that aren’t getting the patches and other security updates that current systems get. and other personal data. A breach also can mean loss of compliance with industry standards such as the Payment Card Industry Data Security Standard.
And though the U. But all retailers must understand how to protect the credit card and other customer data that comes from online transactions. Census Bureau reports that e-comNovember 2012 3 . merchants find the Payment Card Industry’s requirements for protecting credit card data challenging and confusing. accounting for 20% of total breaches.com Whether they’re brick-and-mortar or online. according to Verizon’s 2012 Data Breach Investigations Report. because their businesses are in cybercriminals’ crosshairs.S. Retailers are the second leading source of leaked data (after the hospitality industry).Previous Next COVER STORY Help for online retailers stuck in a maze of e-business security and PCI compliance requirements By Robert Lemos darkreading.
Start by assessing your infrastructure to determine which systems handle transaction and cardholder data. Many online retailers aren’t aware of this and other PCI requirements and how to deal 1. product information. and a very scary world for a merchant. “We aren’t seeing a lot of large-scale breaches.com merce transactions account for only about 5% of the retail economy. ”I’m not looking for who can get me November 2012 4 . because from day one. and they’re the most vulnerable: Nearly 95% of breaches happen to merchants with 100 employees or fewer. says Greg Rosenberg.Previous Next SECURING WEB DATA COVER STORY Stay Safe Our Security Monitoring Tech Center is your portal to all the news. according to the Verizon report. Know Your Infrastructure Online merchants must worry about the degree to which their online retail systems integrate with their day-to-day business networks. chief security officer for payment processor Heartland Payment Systems. technical data. but we have to find out a way to make it easier for the smaller merchants.. The Verizon study found that 96% of victims of successful attacks had failed to comply with the PCI rules they were subject to. and best practices related to the monitoring of IT security events and status. general manager of the PCI Security Standards Council. a qualified security assessor with managed security provider Trustwave. These systems are the ones that you’ll want to subject to PCI DSS. the governing body for PCI’s Data Security Standard (PCI DSS).” says John South. The following 10 steps will help your company institute the controls needed to secure cardholder data and meet PCI’s requirements. payment processors require all online merchants to submit to a quarterly network scan by an approved security vendor. “These standards are right on target for the big guys with the big security departments.” Online retailers have one big security requirement that the 100% brick-and-mortar corner store doesn’t have: card-not-present transactions. They don’t have the dedicated security and risk management teams larger businesses have. he says. you’re a target. identify which systems have access to card data. Because customers don’t physi- cally hand over their credit cards for online purchases. Get a qualified security assessor involved.” Rosenberg says.” says Bob Russo. they’ve steadily grown every year. “It’s an interesting world out there.. and 97% of breaches could have been prevented through simple or intermediate security controls. Network scanning and log analysis can help The Hard Part Percentage of companies that passed the three most difficult PCI requirements last year Protect stored data 42% Maintain a policy that addresses information security 39% Regularly test security systems and processes 37% Data: Verizon’s “2011 Payment Card Industry Compliance Report” with them. We’re seeing much smaller breaches. Many of the retailers playing in this scary online world are small businesses. Such scanning is designed to detect vulnerabilities and misconfigurations. but simple steps can make a big difference when it comes to protecting customer data. “There are a lot more attack vectors—a lot more systems—that we find and can identify vulnerabilities in than customers know about. . Click Here darkreading.
“If you don’t need the data. “But make sure that the sensitive data itself isn’t logged. “Being able to chop off big chunks of your infrastructure and saying it has nothing to do with processing transactions—that’s a big help. Marketing types. but who can help me understand my risk. Companies that don’t hold onto card data tend to take security more seriously and suffer fewer breaches. and multinational IT managers. want to save everything. VP of static-code analysis at WhiteHat Security. “because someday they might use the data to send someone a coupon.” says Chris Eng. says the Ponemon Institute.com 3. an application security company. So it makes sense to segment off parts of the network—and the employees involved with those parts of the network—from access to card data. increases security. to allow easy reuse of credit cards. whether on Web servers. VP of Veracode. . “I would rather significantly reduce my risk posture than quickly pass PCI. a Web application security provider. Only 40% of companies that retained data suffered no breach in that same time period. or CVV. don’t store it. or on a sales associate’s laptop. Have Fewer Data-Handling Systems All systems that have access to the transaction data or card data at rest fall under the PCI DSS. although many do: the card verification value. “Logging is absolutely essential.” 4. In a survey of 670 U. then securing credit card data isn’t something that you should have to focus on. ”If your store sells snowboards online. This approach reduces the number of systems that fall within the scope of PCI requirements. Whatever the reasons for hanging on to customer data. according to the Ponemon Institute’s 2011 PCI DSS Compliance Trends Study.” Rosenberg says. and they’re an expensive part of any assessment.” says Martin McKeay. and to handle chargebacks. Find The Data Companies save card data for three main reasons: to better handle customer service requests.S. “We still have way too many companies using credit card numbers as the primary identifier for their customers.” says PCI SSC’s Russo. Discover where the data resides. Get Rid Of The Data Online merchants can outsource their processing infrastructure. it found that 85% of companies that didn’t retain primary cardholder data didn’t suffer a breach over a two-year period. companies should hunt down every instance on their systems. One piece of data that the business should never retain. and whether they need the information at all. for instance. letting a third party handle all payment processing details and take on much of the responsibility—if not liability—for the data.” darkreading.Previous Next SECURING WEB DATA COVER STORY through my audit really quickly. in a customer ser vice application. code.” says Jerry Hoff. “They see it as a way to increase the likelihood that the transaction November 2012 5 Where Stolen Data Comes From Hybrid Data redirection 5% 4% Stored data 28% 63% In transit Data: Trustwave’s “2012 Global Security Report” on 300 breaches cuts compliance costs. a security evangelist at Internet services company Akamai.” 2.” Hoff says. and people don’t do enough of it. and A key part of this approach is to log transactions without logging the credit card numbers. who has access to it.
” You’ll also want to gather information on your partners’ PCI compliance. CTO at PCI SSC. log transactions. you’re still responsible for confirming that the third party is protecting the information.Previous Next SECURING WEB DATA COVER STORY will be approved. Those requirements became November 2012 6 . and then I’m done. 6. Use Secure Software Credit card data is handled most often by software. Buying a PCIcompliant data protection product won’t automatically make your company PCI-compliant. you can narrow your focus to two requirements: blocking access to data (requirement nine) and maintaining a policy that addresses information security (requirement 12). “The challenge is that there is typically some sort of access to that cardholder data. says Troy Leach. Check Out Partners Merchants that outsource to a service provider but retain some ability to check transactions are less likely to reduce the scope of their PCI compliance. Just segmenting the network and minimizing retention of card data won’t make your company PCI compliant. says Evan Tegethoff. Managed service providers handle a lot of card data. ‘Let me go buy something that’s PCI-compliant. the liability generally rests with the merchant. “If there is. Rather than having to comply with all 12 requirements. have a vulnerability remediation process in place. Third parties administered 76% of systems that were breached last year.’ ” PCI SSC’s Russo says. provide secure authentication. A compliant program needs to. PCI PREVENTS BREACHES 64 38% PCI-compliant companies had no % of cardholder data breach in last two years of noncompliant companies were breach free Data: Ponemon Institute’s “2011 PCI DSS Compliance Trends Study” >> Web application scanning vendors must qualify as PCI-compliant to be listed as compliant on the pcisecuritystandards. Data security darkreading. The same goes for technology. that brings their entire environment back into scope. so make sure you’re using secure software. “Merchants frequently think. not store full mag-stripe data. making them attractive to attackers. You still must check your store for compliance and fill out a self-assessment questionnaire. but it can reduce them. and encrypt all communications over public networks.” Trustwave’s Rosenberg says.” Leach says. but the overall effort is less onerous. No merchant can ever eliminate the scope of PCI requirements. “but the problem is that you aren’t supposed to have that data after the transaction has cleared. And when a breach happens. >> Any payment application used as the transaction engine for a store should comply with a separate set of standards: the PCI Payment Application Data Security Standard. Key areas to be aware of: >> Hosting services must comply with PCI and. among other security measures. 5.com technology must be adjusted to a company’s needs and monitored to ensure that it’s protecting all of the right data. including a self-assessment questionnaire. a PCI solutions architect with security services firm Accuvant. If a third party is handling your company’s data. A few years ago.org site. Ask for documentation of a third party’s PCI compliance status. Heartland’s South says. companies that had to comply with PCI’s requirement for the development and maintenance of secure applications only had to make sure their software eliminated the Open Web Application Security Project’s top 10 vulnerabilities. in particular.” Getting rid of the data reduces the PCI burden tremendously. not people. including timely patching and updating of their server software.
but attackers can use the technique to redirect customers to a lookalike site from which they can collect card data. It must be configured correctly. Encrypt. Authorized Users Only Three PCI requirements deal with authorization. In many cases. E-commerce vendors must find these vulnerabilities during development or a security scan and fix them.” Companies also must think like attackers. VP of data security firm Voltage. a third-party provider used the same password or a simple variant across many of its clients. a breach of one business led to the breach of all. Employees and partners may also inadvertently weaken your company’s data access policies by choosing poor passwords. that data must be encrypted when stored and transmitted. such as the SANS top 25 most dangerous software errors. or use a Web application firewall to block attacks. Alternatively. That may be too long. And Don’t Lose The Keys For companies that keep cardholder data. you cut down the number of PCI requirements and reduce the impact of breaches. use a WAF to block these attacks. A cross-site scripting attack. No wonder companies have trouble keeping up. even if attackers get the information. dynamically scan the website to identify and patch vulnerabilities.” Eng says. never mind the other 23 issues. By using end-to-end encryption. Techniques that encrypt transaction data and return a token. to unencrypt the data are popular with merchants. when PCI SSC changed the language to include other collections of vulnerabilities. “If I’m a hacker and I can redirect you to a website.com nient. But just having a WAF isn’t enough. 8. Protect The Web Server The critical part of an online retailer’s operation is the care and maintenance of its Web server and online store. he says. the top two threats on the SANS list. 7. lets an attacker inject content onto a vulnerable website to make it appear to come from that site. “Many companies run them in a mode that never blocks a request. Merchants can use one of three strategies to protect their online stores and comply with PCI: Scan code for vulnerabilities and fix any problems as part of development. The quarterly scan that e-commerce vendors must submit to can find security vulnerabilities. which is similar to a credit card number. A whopping 80% of breaches are caused by the use of weak or default administrator credentials. “They tend to be configured very. it doesn’t constitute a breach. While a brick-and-mortar store has to educate and monitor cashiers who handle credit cards every day. Yet an online retailer may have a harder time restricting access to card data. software must be kept up to date and critical flaws patched within 30 days. It’s all about turning cardholder data from gold data that attackers want into worthless straw that they can’t access. Trustwave said in its 2012 Global Security Report. In addition. But encryption doesn’t solve all of your November 2012 7 . Bower says. e-commerce employees never see an actual card. under PCI. says Veracode’s Eng. very ledarkreading. because so many employees have legitimate ac- cess to the systems that handle the data. because with tokenized data. A cross-site scripting attack may not directly compromise a merchant’s website. says Mark Bower. for instance. Restricting physical access to cardholder data may be the easiest one to comply with. 9. what prevents me from redirecting you to my bad site?” says Trustwave’s Rosenberg. Online companies have problems securing their sites against SQL injection and cross-site scripting.Previous Next SECURING WEB DATA COVER STORY more stringent last year.
Many large breaches have happened because thieves were able to get the decryption key. 10. Attackers could use HTML injection. to make Google’s pageranking bots see links in a merchant’s site that aren’t normally there.Previous Next SECURING WEB DATA COVER STORY problems. they must protect their customers’ data. for example.com. says Heartland’s South.” Hoff says. Most important.” More help is on the way: PCI SSC has an interest group developing guidelines for e-commerce security. It’s an “absolute bare-bones requirement. It doesn’t mean you aren’t going to have an accident. “It’s like the sign that says ‘No Running’ by the pool. “Their basic obligation is that they have to protect their client’s transaction. due by December. PCI is just a tool to get there. Don’t Become A Check Box Culture PCI isn’t the be-all and end-all of information security. darkreading.” Businesses should worry about threats beyond those covered by the PCI DSS.com . And that really has nothing to do with PCI. Its initial report. The result: An online retailer’s site could be used to raise the page rankings of malicious websites. Write to us at editors@darkreading. online merchants must understand that to keep their customers. “You need to ask in this environment: How could I be attacked?” says Trustwave’s Rosenberg. should go a long way toward assisting all retailers in securing their customers’ data.
com Strategic Account Director.com/aboutus_editorial. rduda@techweb. email@example.com List Rentals Specialists Marketing Services Inc.S.com READER SERVICES DarkReading.com District Manager.com/newsletters/subscribe.S. VP.com Account Manager. InformationWeek Business Technology Network SALES CONTACTS—MARKETING AS A SERVICE Director of Client Marketing Strategy.com for original research and strategic advice District Manager. and daytime phone number.com 516-562-5692 Lorna Garey Content Director. cgordon@techweb. cwright@techweb. Mary Hyland (516) 562-5120. Winnie Ng-Schuchman (631) 406-6507. ssilletti@techweb. Light Reading Communications Network Fritz Nelson Sr.com UBM LLC Pat Nohilly Sr.com Phone: 888-664-3332 (U. Michael Greenhut (516) 562-5044. SALES CONTACTS—EAST Midwest. Jenny Hanna (516) 562-5116.S. firstname.lastname@example.org Inside Sales Manager East.com Chris Murphy Editor cjmurphy@techweb. skupiec@techweb. Jeremy Cotton (415) 947-6237. VP. 1-877-652-5295 Web: wrightsmedia.com Phone: 888-664-3332 (U. city. Cori Gordon (516) 562-5181.com District Manager. and best practices Electronic Newsletters Subscribe to Dark Reading’s daily newsletter and other newsletters at darkreading.com Business Contacts Chief Sales Officer.com TECHWEB Ed Grossman President. All rights reserved. Reports lgarey@techweb. Editorial Director. email@example.com Account Manager. tbradeen@techweb.) 847-763-9588 (Outside U. firstname.lastname@example.org MARKETING VP. Coretta Wright (415) 947-6245. Kevin Bennett (415) 947-6139. mhyland@techweb. Jonathan Vlock (212) 600-3019. Quebec.com The destination for the latest news on IT security threats.com Promotions Manager. email@example.com Events Get the latest on our live events and Net events at informationweek.) 847-763-9588 (Outside U.com SALES CONTACTS—EVENTS Senior Director. title. Robyn Duda (212) 600-3046.) SALES CONTACTS—WEST Western U.com 434-960-9899 Stacey Peterson Executive Editor.com Senior Marketing Manager. Julie Supinski (415) 947-6887. Marketing. Strategic Development and Business Admin. Angela Lee-Moll (516) 562-5803.com darkreading.com Strategic Accounts District Manager. TechWeb Media Martha Schwartz Chief Sales Officer.com 414-906-5331 Jim Donahue Chief Copy Editor jdonahue@techweb.S. firstname.lastname@example.org/events Reports reports. Include name.com/edcal Back Issues E-mail: email@example.com/reprints/?magid=2196 E-mail: ubmreprints@wrightsmedia. South. Subscriptions Web: informationweek. InformationWeek Business Technology Network John Ecke VP of Brand and Product Development.com 978-694-1681 Sek Leung Associate Art Director sleung@techweb. VP.com Sales Assistant. jhanna@techweb. Alberta) Western Regional Sales Director.com Joseph Braue Exec.com Copyright 2012 UBM LLC. firstname.lastname@example.org Kelly Jackson-Higgins Dark Reading Senior Editor email@example.com 703-262-0680 Rob Preston VP and Editor In Chief rpreston@techweb. technology.com/contact-us Letters to the Editor E-mail editors@darkreading. Ray Capitelli (212) 600-3045. TechWeb Media David Berlind Chief Content Officer. Newsletters. Ontario. Marie Myers Sr.com. company. InformationWeek Events. Manufacturing Strategic Accounts Account Director. VP. Quality speterson@techweb. firstname.lastname@example.org/magazine E-mail: email@example.com Director of Client Marketing Strategy.Previous Next Online. Monique Kakegawa (949) 223-3609. E-mail: PeterCan@SMS-Inc. TechWeb Media How to Contact Us darkreading.com Phone: (631) 787-3008 x30203 Media Kits and Advertising Contacts createyournextcustomer.) Reprints Wright’s Media. Events.informationweek. Ashley Cohen (415) 947-6349. (Pacific and Mountain states) and Western Canada (British Columbia. Northeast U.com November 2012 9 .jhtml Editorial Calendar informationweek.S. Salvatore Silletti (212) 600-3327. New Brunswick) District Manager. TechWeb Media. jvlock@techweb. Research Tim Wilson Dark Reading Site Editor wilson@darkreading. Martha Schwartz (212) 600-3015. aleemoll@techweb.S. Sandra Kupiec (415) 947-6922. and Eastern Canada (Saskatchewan. jsupinski@techweb. Tara Bradeen (212) 600-3347.com 516-562-5933 Mary Ellen Forte Senior Art Director mforte@techweb.
This action might not be possible to undo. Are you sure you want to continue?
We've moved you to where you read on your other device.
Get the full title to continue reading from where you left off, or restart the preview.