[BreachExchange] Securing Payment Card Data: Three Actions to Take Now

Audrey McNeil audrey at riskbasedsecurity.com
Fri Mar 11 16:54:30 EST 2016


http://www.tmcnet.com/sectors/security/articles/418711-securing-payment-card-data-three-actions-take-now.htm

In the retail world, there is often a misguided mindset of “fire and
forget” when it comes to payment data security. The PCI (News - Alert) DSS
and EMV boxes have been checked, so it’s time to sit back and relax in
total security bliss – right?


Not quite.

While your PCI compliance assessments are an important step in your
company’s overall security strategy, it’s wrong to assume that true payment
security is something you achieve once and forever. No single validation,
update or implementation can guarantee that – not even EMV. Rather, payment
security is a constantly moving target that requires steady attention and
action in order to keep your payment processing environment protected.
Hackers and their malware are always evolving and adapting, and you must do
the same if you want to avoid falling victim to one of them.

Don’t get me wrong, EMV is certainly a welcome addition to the payments
landscape; however, it is not the end-all be-all security savior that it
has been described to be. EMV should be treated as one piece of your much
larger payment security puzzle. In fact, it is more of a card-authorization
tool than an actual card-data security tool. Be wary of those who oversell
EMV beyond what it is actually capable of.

Instead, consider three ways to reduce your risk and better secure
consumers’ payment card data:

Use a layered approach to payment security.

Merchants should create an environment where security tools are layered for
maximum coverage. Each tool serves a specific purpose in shrinking your
card data environment – lessening the scope of your PCI DSS assessments and
lowering the risk of experiencing a breach. When used together, they become
a much more versatile and stronger security toolbox.

EMV: People often misunderstand the purpose of EMV chip cards. EMV is a
microchip placed on a debit or credit card that authenticates and validates
the card during the transaction. Its primary purpose is to prevent the use
of counterfeit cards, which is only one of the many payment data security
concerns for merchants. This is why EMV is a very limited security measure
on its own, and should always be combined with other solutions, such as
P2PE and tokenization.

Point-to-Point Encryption (P2PE): For P2PE to be effective, you need a
solution that encrypts all cardholder data (CHD) at the point it first
interacts with a payment device, preventing card data from ever entering
your point of sale (POS) or property management system (PMS) in unencrypted
form. This reduces the scope of your PCI DSS assessments and eliminates a
major vulnerability.

Tokenization: To simplify PCI compliance and assure that CHD is never
stored in your payment systems, look for a tokenization solution that
replaces sensitive card data with a random, unique, alphanumeric value.
Make certain that these tokens are not mathematically derived and that they
have no value if lost or stolen. With the one-two punch of P2PE and
tokenization, merchants can free themselves from the burden of storing,
processing, or transmitting sensitive CHD.

This layered security approach helps you move into a security framework
where card data doesn’t reside in your payment processing environment. This
makes it incredibly time-consuming and inconvenient (if not nearly
impossible) for hackers to steal this provocative data.

Regularly check the tools and operations within your environment.

In order to ensure that your payment system is as secure as possible, you
should always follow there guidelines:

First and foremost, you should carefully select high-quality payment
security solutions and install them properly within your environment.

Once installed and running, these solutions should be evaluated frequently.
You need to get into the habit of regularly monitoring the solutions and
operations within own environment and update them as needed to ensure that
they are secure and PCI compliant. One forgotten server, poorly secured
entry point or weak password can be all hackers need to wiggle their way in
and help themselves to a buffet of all-you-can-steal card data before you
even know it happened.

Be sure that the individual(s) you are relying on to maintain the integrity
of your operating environment has the ability and clearance to make
informed decisions rapidly when necessary.

Make sure all tools are being implemented and used according to PA-DSS
implementation guides.

Refer to the PA-DSS (Payment Application Data Security Standard)
implementation guides to ensure that you install new solutions or update
existing ones correctly. You should treat these implementation guides as
the “PCI gospel,” as they provide detailed information about how your
business can implement a payment application securely and accurately, as
well as your responsibilities for maintaining security in order to be PCI
compliant with a particular security technology.

Here’s what the PCI DSS has to say about ensuring a compliant environment:

“Use of a PA-DSS compliant application by itself does not make an entity
PCI DSS compliant, since that application must be implemented into a PCI
DSS compliant environment and according to the PA-DSS Implementation Guide
provided by the payment application vendor (per PA-DSS Requirement 13.1).”

Securely implementing payment applications is an important aspect of your
PCI DSS compliance. And, although we recommend taking further steps to
maintain an environment that provides security above and beyond compliance
standards, being compliant is the minimum standard to meet prior to
exceeding it.

Your goal is to put in place every roadblock possible to keep cyber
criminals from running away with CHD. Unfortunately, the fortification that
works perfectly today may develop a chink in its armor as time goes on if
you are not performing regular checks on your environment. With today’s
hackers being organized and funded by nation-states, false nation-states
and even terrorist organizations, maintaining the security of your payment
processing environment isn’t just harder – it’s more important than ever
before.

Keep in mind that security is not a check-box item that you set and forget.
It’s an ongoing process that requires diligent, detailed attention.
Partnering with like-minded solution providers will help you keep up to
date with compliance requirements, address the latest threats, seal off any
new attack vectors, and keep your customer’s sensitive payment data safe.
You have put a lot of time, money, and effort into establishing your brand;
investing adequate time and resources into a robust security posture is how
you safeguard those efforts and capitalize on them for many years to come.

As always, be smart and vigilant.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160311/027b2b1f/attachment-0001.html>


More information about the BreachExchange mailing list