[BreachExchange] Business needs to reduce cyber threat to payment card data

[Destry Winant]

http://www.computerweekly.com/news/450433346/Business-needs-to-reduce-cyber-threat-to-payment-card-data

In the retail sector, almost all of the data breaches involve some
kind of compromise to cardholder data, which is a trend that is
expected to increase.

Despite investment in security and compliance, 2018 shows no signs of
high-profile hacks slowing down, with most security suppliers
predicting the ransomware attacks that dominated 2017 will continue,
driven by an increase in the providers of ransomware as a service
(RaaS).

This cyber criminal business model is expected to increase the
potential for even non-technical attackers to target poorly secured
organisations and consumers, which means businesses will need to step
up their cyber defences more than ever before.

However, this rising threat can be mitigated with the introduction of
controls required to secure this data under the Payment Card Industry
Data Security Standard (PCI DSS), according to secure payments firm
PCI Pal.

Breached organisations demonstrated lower compliance with 10 out of
the 12 PCI DSS key requirements, according to the Verizon 2017 payment
security report. In August 2017, Gabriel Leperlier, head of
continental europe advisory services GRC/PCI at Verizon, told Computer
Weekly that while compliance does not guarantee an organisation will
not be breached, the data shows that failure to comply almost
certainly means they will be breached.

“Businesses may not be able to reduce the number of incoming threats
but, by ensuring PCI DSS compliance, they can certainly reduce the
success rate,” said James Barham, chief commercial officer at PCI Pal.

To date, he said, the vast majority of security investment has focused
firmly on keeping cyber criminals out, but that only works to a
certain extent. “Because there is much greater impetus for the hackers
to devise new methodologies to gain access and the security industry
at large is only ever playing catch up, but we expect 2018 to see a
step change in the mentality of data protection from trying to keep
people out, to simply ensuring there is no data for them to take,” he
said.

If businesses can remove the valuable data from their environments,
said Barham, it no longer matters if there is a breach. “De-scoping
PCI data will increasingly become the method of choice for businesses
augmenting their intrusion prevention positions next year,” he said.

Businesses typically reduce the scope of their PCI DSS compliance by
reducing or eliminating the cardholder data they store and switching
to third-party payment service providers.

Similar strategies can be used to reduce the likelihood of failure to
comply with the EU’s General Data Protection Regulation (GDPR) after
the compliance deadline of 25 May 2018.

Due to the significant financial penalties that will be imposed in the
event of a breach, non-compliance will not be an option for the vast
majority of businesses,” said Barham.

Another reason he believes businesses are likely to de-scope is that
another round of changes to the PCI DSS is scheduled for July 2018.

“Each of the coming changes will require changes being made to the
environment. The simpler route may well be to de-scope the business
altogether from PCI, ensuring compliance and reducing the threat from
would-be hackers in one step.”