Dark Reading has an article on PCI compliance from end of last year:
An important paragraph:
“In the cases of the largest data breaches, in 2014 a common point of vulnerability was the exploit of remote access methods to implant malware on systems that store, process, or transmit cardholder data. Frequently the point of malware penetration was back-office PCs supporting the payment system, which may run unpatched operating systems highly vulnerable to malware attacks. These systems often lack the same controls as a payment terminal, such as tamper-responsive detection and other protections for malware in volatile memory.”
“Many organizations lack an effective process to apply PCI DSS”
Also discussing Consistent and effective controls.
Continuous monitoring of risks
Regular assessments of new threats.
Troy Leach was the author, and he is the Chief Technology Officer for the PCI Security Standards Council (SSC)
I want to also add the FTC chairwoman commissioner Edith Ramirez’ opening remarks at the CES show on the 6th of January.
“We are told that, in 2015, the world will have 25 billion connected devices; the number of smart home devices will reach nearly 25
million; and IoT software platforms will “become the rage”
But we have also been warned that 2015 will be the year we start hearing about smart-home hacking.”
I heard the headlines about the privacy aspect of the IoT (Internet of Things) but also in her statements she discussed security risks of IoT. She poses a valid concern, security in the IoT space has not been thought about for decades, so as we start introducing all of these devices everywhere (home and business) there should be a focus of Security by Design, instead of functionality first.
And finally the chairwoman finishes with:
“As is evident here this week, companies are investing billions of dollars in this growing industry; they should also make appropriate investments in privacy and security.“
Yes the world is changing constantly with new standards in the Payment Card Industry (PCI) as well as addition of new interconnected devices (otherwise known as the Internet of Things)
My question of “Can we stop Cybersecurity breaches?” is valid.
It seems that PCI as a standard has been unable to stop cybersecurity breaches, what changes can we make in the future?
The problem with the PCI standard is specifics of how to actually protect computers are lacking. the standard does not recommend actual products. It states that pentesting should be performed, but does not say how. The assumption is that when one does a pentest (penetration test) then it will find a variety of vulnerabilities which then will be fixed. A pentest is to be done annually for companies with less than 20,000 transactions. so the obvious problem with this is the infrequent nature of a pentest.
Even an entity of higher than 20,000 transactions (up to a million) should do pentests quarterly. And in that case if there is a pentest in January one can still have new problems in March before the next pentest occurs in April.
So the answer is rolling pentests? I.e. constant vigilance is what Troy Leach recommended in his article as an explanation of what is new in the PCI DSS 3.0 compliance standard.
To me that means we are not going to catch a determined attack. We will always be behind the curve, so we need to find methods how to find the breaches quickly and remove the attacks after they occur.
The key is the
POS (Point of Sale) system to the credit card processor communication. The weakness has been the POS system itself.
We can’t stop breaches – especially the new ones, but we can find them and fix it after the breach – we need to focus on that.
so we can help you use the best tools for your situation.