Don’t Let the Grinch Steal Your Payment Card Data this Holiday Season!

It’s a minute before midnight and all through the SOC, responders and engineers try to systems unlock. The ransomware was the dreaded WannaCry. Should they pay the ransom, so they can get by?

Retail organizations are increasingly being attacked by ransomware and even with mandated compliance standards, these organizations are falling short. The 2018 Verizon Payment Security Report showed that full PCI DSS compliance in the area of “Protect against malicious software,” fell from “92.1% in 2016 to 87.7%, a drop of 4.4 percentage points.”¹. The retail sector showed the highest gap in this PCI control compared to all other industries in the report. Even more disturbing, almost half (47.5%) of the organizations Verizon assessed during interim PCI DSS compliance validation did not maintain all DSS controls.¹ Can this poor control create opportunities for Grinches to steal payment card data this holiday season?

Kiplinger predicts that e-commerce will “have yet another banner year, growing by 15%, while in-store sales should do all right at 3.6%, their best showing since 2014.”² With increased transactions come increased opportunities for payment card information to be exfiltrated.  Public breaches of payment card information globally are resulting in large fines. Companies even face class action lawsuits such as is the case with British Airways.³ Ultimately, breaches result in loss of revenue long-term. Seven in 10 consumers say that they would consider leaving a retail business if it were hit by a ransomware attack.⁴ What can retail organizations do to protect credit card information? Here are five steps:

1. Build and maintain a strong information security policy – Maintain a policy that addresses information security for any and all personnel. The ForeScout platform provides an avenue to present the company’s Information Security policy to employees, requiring them to acknowledge reading and understanding it. This provides organizations a route to establish, publish, maintain and disseminate a security policy.

2. Build and maintain a secure network and systems – Install and maintain a firewall configuration to protect cardholder data. Implement one primary function per server and only enable necessary services and protocols required for the function of the system.

3. Maintain a vulnerability management program – Protect systems against malware and regularly update antivirus software and programs. ForeScout can detect hosts without an installed antivirus application, validate if an antivirus program is running with up-to-date threat signatures and continuously monitor endpoints to determine if the antivirus becomes inactive. In addition, ForeScout can automatically quarantine noncompliant devices based on predetermined policies.

4. Implement strong access control methods – Restrict access to cardholder data by business need to know. ForeScout provides device and role-based network authentication and authorization, limiting individuals and their devices to appropriate network access as determined by virtual local area networks (VLANs) or access control lists (ACLs). Enforcing network segmentation helps limit access to system components and cardholder data to those individuals whose job requires such access.

5. Monitor and test your networks – Regularly test security systems and processes. ForeScout can monitor and detect authorized and unauthorized wireless access points connected to the PCI network, create policies to isolate rogue access points as well as notify personnel of the discovery. In addition, ForeScout can provide real-time vulnerability scans as well as detect malicious activity by leveraging information sharing capabilities with third-party advanced threat detection, vulnerability assessment and security information and event management systems.

While these five steps are not all-encompassing, applying basic security such as described above and defined in PCI DSS 3.2 has been proven to reduce cardholder data breaches, making the holiday season brighter for everyone! For more information, download the ForeScout Compliance Guide to learn how to address PCI DSS 3.2 controls.

¹ Verizon Payment Card Industry Report: http://www.verizonenterprise.com/verizon-insights-lab/payment-security/2018/
² Kiplinger Spending Forecast: https://www.kiplinger.com/article/business/T019-C000-S010-retail-sales-consumer-spending-forecast.html
³ British Airways faced with class action lawsuit: https://www.bankinfosecurity.com/british-airways-faces-class-action-lawsuit-over-data-breach-a-11478
⁴ Carbon Black Ransom Aware Survey: https://www.carbonblack.com/wp-content/uploads/2017/05/Carbon_Black_Ransom_Aware_Survey_Report.pdf