Retailers, like Target, that accept bank cards are required to adhere to a strict set of standards for protecting the cardholder data, the Payment Card Industry Data Security Standards (PCIS DSS). It has been frequently asserted that there has never been a data breach found where the victim was PCI DSS compliant at the time of the breach.
Yet we have had significant data breaches in card payment systems, the recent breach of the Point of Sale System at Target department stores may be the largest ever. While there has been rampant speculation, we really do not know exactly what happened in the Target data breach yet. One thing is certain, however, Target must have passed their last compliance review in order to be accepting bank cards.
If a company can be compliant and still be breached, what good are the standards?
We do not know if the Target data breach will reveal flaws in the PCI standards, but the larger issue here is that PCI compliance reviews provide a snapshot at a point of time, while data protection is a never ending process. The bad guys don’t sit back and say “Gee, that business is PCI compliant so we will stop trying”. They are relentless.
The Target data breach is stunning because of the size of the organization and amount of data compromised, up to 40 million customers. POS data breaches generally occur in much smaller organizations, especially “mom and pop” stores that can’t afford a large IT staff of their own. They may even still view POS systems as essentially cash registers and not networked computers, which of course they are.
In fact, the most common reason a retail POS system is breached is that the business did not even add the most basic protection of a personal firewall and antivirus scanner. Every device connected to your network requires these first lines of defense.
Given the consequences of a breach, a business should work to be compliant and secure at all times, regardless of the review requirements. In fact, the business needs to view data security as broadly part of their IT security requirements and endpoint management and not just a compliance process.
If that was the case in the Target data breach, it could have been prevented if they were using Comodo’s Endpoint Management System with antivirus with default/deny technology. All program files that cannot be verified as safe are run in a secure virtual operating system where it cannot harm the rest of the computer.
In addition, businesses would be wise to increase the frequency of compliance and threat detection scanning beyond the PCI requirements. Comodo offers 2 great services that provide PCI compliance scanning for your web site, HackerGuardian and Web Inspector.
HackerGuardian is an on-demand, vulnerability assessment scanning solution to enable merchants and service providers to achieve PCI scan compliance. After each scan, you receive a comprehensive vulnerability report detailing any security issues with remediation advice and advisories to help fix them.
Web Inspector provides the same PCI Scanning and much more. It scans your site daily for malware and continuously monitors for other threats. Importantly, Web Inspector monitors blacklist sites that list compromised web sites. If you are listed, for any reason, on such a site search engines will block them. You lose customers because they can’t find your site.