10 Costly Mistakes That Lead To Credit Card Breaches
Solution Providers Play Key Data Protection Role
Costly errors stemming from third-party contractors lead to credit card breaches, according to studies that regularly analyze security incidents. That includes managed security service providers, infrastructure service providers, secure data center hosting providers, and those who sell managed IT delivery channels and services, according to the Payment Card Industry Security Standards Council, the organization that maintains the Payment Card Industry Data Security Standards (PCI-DSS). Merchants are not properly vetting third-party providers and failing to set clear expectations for information security and data protection, according to the PCI council's new guidance document, "Third-Party Security Assurance Information Supplement (PDF)." While the merchant is ultimately responsible for the protection of credit card data, communication often breaks down over shared responsibilities. These 10 mistakes outlined in the report are often at the core of costly data breaches.
Design Failures
Misconfigured firewalls, poorly implemented encryption and weak access control procedures lead to many breaches involving third-party providers, according to the Payment Card Industry Security Standards Council. Merchants need to have a discussion about patching cycles, change management and access control procedures, the council said. A risk assessment should outline the extent that payment systems are segmented from the rest of the third-party provider's network. It should identify the system components in place and the networking security appliances and other security software safeguarding those systems.
Poor Accountability
Merchants often fail to uncover the full extent of the daily operations at the third-party provider and fail to understand how routine maintenance and incidents are handled. The vetting process should reveal how remediation is conducted, the implementation and support staff available at various times, and administrators that may have access to sensitive data, according to the PCI council's security assurance report. It should include the documentation necessary to validate PCI DSS, including penetration tests, incident response procedures and evidence gathering processes.
Software Security Breakdown
Organizations can fail to determine if secure software development best practices and guidance are being followed. A lapse in this area leads to inadequate code reviews and poor remediation practices providing easily exploitable vulnerabilities to get access to payment system data. Proper vetting will determine the maturity level of the organization's software development lifecycle and whether information security is inserted early into the process, according to the PCI council security assurance report. Documentation should provide evidence to validate that proper procedures are in place.
Meager Functional Testing
Third party providers need to show evidence that internal and external network vulnerability scans are taking place, application and network penetration testing is conducted and rogue wireless detection is being considered, according to the PCI council security assurance report. Organizations that can't provide evidence of functional testing on a regular basis should raise a red flag, say experts. The carelessness should require further investigation and could reveal slipshod security policies and data handling practices.
Data Retention Issues
Security experts say a variety of organizations including some major universities have recently had data retention issues leading to exposure of decades old data that should have been properly wiped from systems and servers. A discussion with a potential third-party provider should set merchant expectations over retention periods for cardholder data storage, the procedures for secure disposal and how encryption or tokenization is deployed and maintained around the data, according to the PCI council security assurance report. Secure data backup procedures should be documented and the procedures for handling physical media should to be addressed as well.
Access Control Lapses
Poorly managed procedures for granting and monitoring vendor access to cardholder data could be the weakness used by cybercriminals to gain unfettered access to the information. Merchants need to discuss how their third-party provider grants access, revokes credentials and manages roles and responsibilities to those seeking access to card holder data, according to the PCI council security assurance report. Policies and procedures should be well documented and regularly reviewed.
Inadequate Logging Requirements
Forensics investigators tell CRN that many security incidents could have been uncovered before a breach took place if system logs were routinely reviewed. The merchant should have a discussion to determine the central logging capabilities used by the third-party provider and the requirements necessary to meet PCI DSS validation, according to the PCI council security assurance report. Adequate logs from all payment system components should have protections to validate their integrity. Collection and retention procedures also need to be clearly outlined.
Faulty Alerting Procedures
Organizations often use third-party providers for log management, but stumble when alerted to potential security incident. The misjudgment leads to obtaining costly incident response support, according to a consultant at a managed services provider. A third-party service provider reportedly alerted retail giant Target about the malware used in its massive breach. Despite having a security operations center in place, Target failed to investigate the alert. Incident response roles, responsibilities and communication strategies need to be clearly outlined and regularly reviewed, according to the PCI council security assurance report. A thorough review of a third-party provider should determine how logs are harvested and parsed. A workflow should be established addressing the timeliness of alerts, how they are communicated and who receives them.
Insufficient Security Awareness Program
Reducing employee errors can limit data exposure, say security experts. Third-party providers should have a formal security awareness program in place for all personnel that addresses the importance of cardholder data security, according to the PCI council security assurance report. The program should consist of more than on-boarding training and at a minimum should include annual activities, according to the document. Documentation should consist of staff acknowledgement of the training.
Lack Of Transparency
A third party provider can claim to have adequate safeguards over systems containing card holder data, but merchants could seek evidence that security controls and procedures are being followed to ensure that PCI requirements are validated, according to the PCI council security assurance report. If expectations are loosely set at the beginning of an engagement with a third-party provider, it could result in unclear roles and responsibilities in setting and maintaining security controls. The scope of the card holder data environment needs to be clearly defined and verified and is "pivotal" in determining the level of effort required to achieve compliance, according to the report.