Merchants and companies of all sizes accept and process a multitude of credit card payments. On the downside, this provides a treasure trove for cybercriminals. They go after the millions of stored, processed and transmitted cardholder data. The table below shows some of the most profitable breaches that happened in the last five years.
|March 24th - April 18th 2017||Chipotle||POS systems in 2,250 restaurants were compromised||· Fines based on the size of the breach and number of records compromised
· Liability for fraud resulting from the breach
|September 2014||Home Depot||56 million credit card accounts were breached||Not disclosed|
|November 27th - December 15th 2013||Target||40 million credit and debit card accounts were breached||
$252 million in damages
|2012||Global Payments Inc.||1.5 million card accounts were breached||$90 million in damages|
To keep credit and debit card data safe, the PCI Security Standards Council has developed the Payment Card Industry Data Security Standard (PCI DSS) that all companies and merchants that accept, process, store or transmit credit card information have to comply with. All in all, these are requirements that they have to meet, serving various security goals.
- For building and maintaining a secure network, enterprises must install and maintain a firewall configuration to protect cardholder data.
- They must create, maintain and update system passwords with unique and secure passwords (avoid using default passwords).
- Companies that store cardholder must avoid possible data security breaches resulting from e.g., identity theft e.g., by having security solutions in place.
- When transmitting cardholder data over open and public networks, the data must be encrypted to make it unreadable and unusable for system intruders.
- Organizations need to deploy and regularly update a comprehensive suite of security software such as anti-virus and malware protection.
- These organizations need to develop and maintain secure systems and applications.
- The number of authorized personnel that has access to cardholder data should be limited to reduce the changes of security breaches.
- Access to user accounts should follow best practices, including password encryption, authorization, authentication, log-in time limits, etc.
- If data is hosted in an off-site datacenter, the datacenter provider has to limit the number of staff with access to the sensitive information to a much as feasible. Furthermore, PCI compliant datacenters must have full monitoring to ensure a secure and PCI compliant hosting environment.
- All access to network resources and cardholder data must be tracked and monitored to keep cardholder data safe and secure at all times.
- Organizations need to regularly test their network’s security posture and effectiveness of their security controls.
- A comprehensive information security policy must be in place for risk analysis, operational security procedures, and other general administrative tasks.
But even when an organization follows the checklist above and is PCI compliant, it might still be victimized by cybercrooks as the Target breach of 2013 illustrates. Having multiple layers of defense and a secure data protection model in place that combines physical and virtual security methods is essential, but not enough.
However, organizations can do even better - they can use Cymulate’s plug & play assessment platform to test how vulnerable their network and credit card data are to cyberattacks. Once installed, it performs offensive and defensive actions to expose critical vulnerabilities. More specifically, the platform simulates multi-vector cyberattacks from an attacker’s perspective. This enables the CPI compliant organization to take preventive actions before an actual attacker has a chance to exploit its weaknesses and get away with their valuable credit card data.
To help all enterprises that must be CPI compliant, Cymulate has made the testing procedure fast and easy to perform - on demand, anytime and anywhere. Instead using the platform for an annual Risk Assessment, Cymulate recommends to conduct more frequent assessments (at least once a month), based on the organizational capabilities and resources.
Want to find out if your organization would be able to withstand a cyberattack aimed at your credit card data? Do you want to know if your security posture complies with the PCI Data Security Standard (PCI DSS)? If yes, sign up for our FREE assessment without any obligation. See for yourself how Cymulate’s automated platform will simulate continuous attacks on different vectors to locate vulnerabilities which allows you to mitigate issues so you can remain CPI compliant.