Merchants and payment vendors who never change the default password in sensitive systems are getting fresh attention from the Payment Card Industry Security Standards Council.
The council, which maintains the PCI data security standards, officially released version 3.0 of its data security standards Nov. 7, concluding the organization's current three-year cycle for upgrading standards. The new standards take effect next year.
The standards stress an increased focus on education, awareness and security as a shared responsibility within an organization, says Bob Russo, PCI council general manager.
The rules have undergone only minor changes from previous versions. "As luck would have it, not many tweaks were needed," Russo says. The latest version provides specific recommendations of best practices for ongoing PCI compliance and enhanced testing procedures to clarify compliance validation.
But opening the door to fraud because of disregard for system passwords remains an extensive industry problem, says Troy Leach, the council's chief technology officer.
"If we can eradicate default passwords, we would eliminate a lot of fraud," Leach says. The PCI standards emphasize education for those responsible for hardware and software system components in which default passwords are used, Leach says.
It is easy for hackers to gain entry to payments systems, knowing that most default passwords are generally a sequence of numbers as simple as 1-2-3-4-5-6, says Chris Bucolo, senior manager of security consulting services for ControlScan.
With this password, fraudsters have changed settings on ATMs to trick them into thinking they were stocked with $1 bills instead of $20 bills as a result, ATMs would dispense 20 times as much cash as they were supposed to for each withdrawal. In a 2007 incident, fraudsters used this tactic to withdraw $1,540 in two visits to a compromised ATM before they were detected.
"The challenge for PCI is, why aren't people getting the word about the dangers of default passwords?" Bucolo says. "People think fraud can't happen to them, but they don't understand how technology works and how fraudsters get in."
The council also focuses on physical attacks in its standards, addressing a growing problem, Bucolo says. Many high-profile breaches occur because of criminals placing skimmers or scanners on equipment, he adds.
PCI recommends that by July of 2015, merchants and payments vendors have more scrutiny of work environments that use equipment for cardholder data activity, Bucolo says.
"The physical aspects are big because criminals will infiltrate a business and wait for three months to strike," Bucolo says. "Inside fraud is definitely on the rise."
In the future, PCI will likely focus on minimizing fraud attacks that come through Web applications, Bucolo says. It will also provide education on what PCI scope entails, he adds.
Too many companies feel that if they are not storing card data on their systems, then they are clear of PCI compliance concerns. In reality, systems may still be in PCI scope if they process and transport data, Bucolo says.
Fraudsters will attack those applications, he says. "All it takes is one hole or one gap in the system for a problem to occur," Bucolo adds.
Sometimes a merchant or vendor will assume that cardholder data is being stored separately from non-payment customer data such as e-mail addresses or shipping addresses, PCI's Leach says. Unfortunately, that is not always the case.
"One of the new standards calls for tests to verify that the card environment is indeed segmented from the rest of the network," Leach says.
The new standards take effect in January 2014, but merchants have an entire year to implement them.
"Don't wait if you don't have to," Russo says. "But there is quite a bit of time, especially to look at the best practices, back your way into it and get feedback."