The so-called Cyber Monday is behind us, but the online sales keep ramping up. The Wall Street Journalshows that online shoppers have spent more $1.1 billion over a two-day period, and traffic to shopping sites has been steadily up. Good for business, but also a very attractive target for attackers from inside and outside companies that deal with credit card data.
A successful holiday season could be trouble for a company if it’s followed by a revelation that credit card data has been stolen, leaked, or simply sold by an insider. Think your company is immune? That’s what Guidance Software thought as well. The company, itself a provider of software to diagnose break-ins, was looted to the tune of 3,800 customer credit card numbers.
Poor security also led to the TJ Maxx breach in 2007, which involved credit card data for more than 45 million people. You get the point. Credit card data is an attractive target for external attackers and for insiders with a grudge and/or looking to cash in on access.
There’s long been an industry standard for credit card compliance, the Payment Card Industry (PCI) standard. Companies have long faced fines or worse — de-certification, meaning the loss of the ability to process credit cards. Extremely damaging for brick-and-mortar stores, and a kiss of death for online stores.
Companies not only face fines and penalties from credit card issuers, but PCI compliance is becoming law in some states. For example, Washington state has enacted a law this year (H.B. 1149) that deals with security breaches of credit card data. Companies can be held responsible for unauthorized access to credit card information — unless they’re compliant with PCI Security Standards Council Data Security Standards (DSS). (See the self-assessment questionnaire.)
Early Resolutions for 2011
No doubt your company already has taken measures to be PCI compliant, but are they enough. In particular, what measures are being taken to address inside attacks. One of the keys is controlling access and ensuring privileged user management, and eliminating shared passwords. These correspond with PCI sections 7, 8, and 10 — restricting data by need to know, making sure each person with access has a unique ID, and tracking and monitoring access.
In addition to these, companies need to ensure a few other technical measures. It’s probably too late to enact these for 2010 — most companies have already put a “freeze” in place on updates for the holiday season. You don’t want to tamper with systems when they’re at their most busy, fulfilling holiday shopping demand!
Specifically, companies need to address firewalls (PCI-DSS Requirement 1), encrypt transmission of data when sent over public networks (PCI-DSS Requirement 4), and perform regular audits (PCI-DSS Requirement 11).
All of these are easy to do on Linux. Linux’s native firewall tools (iptables) are well-suited to setting up the kind of configurations you need to be PCI compliant. But, of course, there are plenty of software and hardware solutions available as well.
Any server handling any customer data should be configured to use SSL/HTTPS. If data is being stored offsite, backed up to third party services (such as Amazon S3), then it should be transmitted over encrypted channels, and it would be a wise idea to encrypt data prior to transmission as well. Again, plenty of FOSS and commercial tools are available for this, such as GnuPG, OpenSSL, or Centrify’s DirectSecure.
Finally, companies should leverage open source or commercial tools (such as Nmap/Zenmap) to perform network audits and set up intrusion detection services to detect intruders or insiders overreaching their access internally.
Summary
Every admin, IT manager, and (especially) C-level IT exec should be thinking hard about protecting credit card data all year around, not just for the holiday season. But this is the time of year when more people are whipping out the plastic to purchase gifts online. As the orders pour in, it’s a good time to revisit your company’s practices for working with and protecting credit card data. That way, when the office parties are done, and the post-holiday sales have wrapped up, you’ll be well-poised to put policies and technology in place to protect cardholder data — and your company.