The depth of Macy's breach pushes PCI compliance investment
Macy’s recently became the latest major retailer forced to inform its customers that their data had been exposed by another cyberthreat. Although detected by a third-party security tool, the cybercrooks still gained access to data from customers who had shopped on the retail store’s website.
This incident is the latest in years of retail data breaches that remind merchants about the importance of maintaining compliance with the Payment Card Industry Data Security Standard (PCI DSS).
According to the recent Verizon 2018 Data Breach Investigations Report, phishing remains the top method of cybercriminals, accounting for 93% of all breaches, which continue to be conducted predominantly over email. Worse yet, 68% of the breaches examined by Verizon took months or longer to detect.
The ongoing threat of data breaches serves as a reminder that every business is subject to PCI DSS compliance, no matter their size. Any company that handles cardholder data in any way must adhere to PCI DSS standards, which can be time-consuming and expensive.
Even if a company outsources some or all of its IT resources to a cloud service provider, it must maintain compliance. The only way to at least alleviate the burden is to shrink the footprint of the cardholder data environment to reduce and simplify the compliance process.
Before a company can begin to reduce its total scope, it must first determine exactly what customers and data are subject to PCI compliance measures. This grouping typically includes people, processes and technology that touch or see cardholder data, which can be far- reaching.
For example, if employees access a web page for data entry, cardholder data may be found in temporary browser cache files. Retail store or call center employees may write down card numbers manually for phone orders when power outages occur or when orders arrive via email. That information falls within scope as well.
Anything that connects to a server with cardholder data falls within the scope for PCI compliance. Something that is considered out of scope might be a system component that doesn’t store, process or transmit cardholder data and sensitive authentication data, or might not be on the same network.
Once an organization knows the full extent of its PCI scope, it can begin determining ways to reduce it. Here are eight paths to consider.
Network segmentation. It takes a lot of effort and time to secure all networks instead of just the ones containing cardholder data. Keep the networks that handle card data separate from the ones that don’t by employing network segmentation with firewalls between networks.
Point-to-point encryption. This technology eliminates the need for segmentation if an organization employs a validated point-to-point encryption solution. Point-to-point encryption ensures that card numbers are encrypted from first card swipe at the point of sale and while in transit all the way to the payment processor. If an organization uses only point-to-point encryption to process credit cards, its entire merchant network is out of scope.
Limit who can see credit card information. Simply reducing the number of people within an organization who can see cardholder information can reduce its PCI scope. If certain employees don’t require access to the data, there is no reason they should ever see it. Organizations can limit who sees cardholder data by ensuring that it is only shared on specific protected networks, separate from other information that various departments typically access. Network segmentation can help with this. For extra security, the data should also be encrypted at rest and in transit.
Limit access to credit card data. Just as organizations can limit who sees cardholder data, they can also limit access to specific kinds of cardholder data. To reduce PCI scope, restrict access to only the particular types of cardholder data that are required by the various types of employees who need it to do their jobs.
Limit cardholder data in physical locations. Cardholder data is at high risk in most retail and other physical environments where credit cards are used. Encryption of credit card data at the point of purchase will minimize a physical PCI footprint.
Secure online payments. Another way to reduce PCI scope is to employ transparent data redirection when accepting online payments. Seek out APIs with direct post functionality, often referred to as transparent redirect. They are especially useful in health care organizations that receive patient web payments through electronic health-records software. Using the API, a patient's credit card information is sent directly to a third-party processor, and never passes through the health care organization's web server. This reduces the PCI scope on that server.
Use tokenization. Tokenization is the process of swapping highly sensitive cardholder data for a "token." The token has several random digits that can’t be restored back to their original value. This helps ensure that the sensitive information is kept safely in one place. By reducing where cardholder data is located, the scope of a PCI audit is greatly reduced.
Outsource. Yet another way to reduce PCI scope is to outsource various IT-related tasks and responsibilities to third parties. This can include anything from firewall management to the system hosting to data storage for a monthly fee. Organizations can eliminate some of the stress of PCI compliance while also freeing up your internal IT resources for other endeavors. However, even if a third-party vendor puts an organization’s entire cardholder data environment in a PCI-compliant cloud, that organization is still responsible for overall PCI compliance and for drafting a report on compliance (ROC).
As long as people rely on credit cards and electronic transactions, companies will always be held accountable socially and legally for their efforts to protect customer data. Reducing the scope of what’s covered under PCI can ease some burdens. However, the protection of customer data should always be the top concern.