PCI standards provide a great starting point, but can be difficult to understand and implement
At SecureState, we recently blogged about Managed Security Service Providers and what happens when they don’t protect companies as well as they are expected to. One thing I find surprising is that similar issues, particularly relating to data breaches and Payment Card Industry (PCI) compliance, date back nearly to the time that PCI Data Security Standards (DSS) were first enacted. In 2009, a group of small businesses filed a lawsuit claiming that the two companies hired to handle the Point-of-Sale (POS) operating systems provided software and services that were not implemented in a compliant manner and resulting in theft of cardholder data (CHD).
Groundhog Day, but with malicious software
Unfortunately, I have not found a single instance (yet) of a follow-up to this case detailing the ruling, settlement or anything else that came of it. From what I can tell, the situation is not unlike many that we have seen during investigations as a PCI Forensic Investigator (PFI) company. In fact, as more information comes to light, it seems the most common hypothesis for the recent Target breach is that RAM-scraping malware was present on processing servers: this technique has been around at least since that 2009 lawsuit, if not before, and we are still seeing new iterations of it today. The small businesses reported the presence of a key logger and CHD being scraped from their systems as well.
Large companies such as Target and Neiman Marcus should have the resources and people with the knowhow to thoroughly understand PCI guidelines and their applications. The plaintiffs in the aforementioned case, however, are small business owners – what can someone whose specialty is in running a restaurant or shop do to stay on top of their compliance and security when budgets are tight and employees are in small supply?
Heading off lawsuits with due diligence
In addition to helping with general security, there are ways for merchants to cover themselves when it comes to third-party companies that may be handling payment applications and hardware when there is not a dedicated staff to handle PCI compliance and security.
Check PCI approval lists
The Payment Card Industry provides a list of all approved vendors, payment applications, PIN entry devices and more. All of this information is readily available to the public and searchable so that you can check on the software or providers that are looking for your business. Take note of specific application numbers: it is possible for ZYX Software version 1.5 to be compliant, but version 2.0 to not be verified.
Do they offer liability insurance?
Would your vendor cover the cost of having a PFI or other forensics investigation? What about court costs related to lost or stolen data, or the expenses for having another company come in to remediate or contain a data breach? These are not necessary, but can help to provide extra coverage in the event of a breach. Keep in mind that, like any insurance, you may not be as well covered as you think – but you can have it reviewed.
In the lawsuit discussed earlier, the applications in question had been verified as compliant with Payment Application Data Security Standards (PA-DSS), but their installation in the environment was incorrect.
We have no way of knowing right now what the causes of the recent Target and Neiman-Marcus data breaches are. It just raises the same questions of: does compliance with PCI standards mean that everything is secure against attacks? If an application is compliant, is that enough? It doesn’t seem to be clear whether or not a company can completely “pass the buck” to the developers and maintainers of their software and systems, but it could prove to be an interesting aspect of the recent breaches as investigation continues.