Posted by: Arian Eigen Heald
Data Breaches, information security, PCI DSS
Word is rampant on blogs and security portals that another processor breach (in addition to Heartland) has occurred. Banks are being contacted by Visa and Mastercard, to replace credit cards as well as ATM cards.
The latest, from IdentityTheftBlog.info:
Thanks to a more recent credit union notice that Jai Vijayan of Computerworld uncovered from the Alabama Credit Union, we now know that this is not just credit cards that have been affected, but that the breach also appears to involve “long lists” of compromised ATM/debit cards. Visa and MasterCard remain mute about the source of the breach, although once the confirmation was found, Visa confirmed to Computerworld that a processior “experienced a compromise of payment card account information from its systems,” and MasterCard’s statement referred to the processor as being in the U.S.
The fact that the breach includes ATM cards is scary and disheartening. The fact that another large processor has been breached tells me Heartland and Hannaford were not anomalies – they represent the tip of the iceberg. Cybercrimminals have developed a way to capture streaming card data that’s being transmitted unencrypted on internal networks.
We need to start encrypting card data during every point in the transaction process, whether nor not it’s running across internal networks or sitting in databases.
Next, let’s start monitoring outbound transmissions on our firewalls and get more granular about firewall rules. Servers sitting in stores don’t need to be able to access the Internet. Or set up critical servers in a group and monitor ALL their outbound and inbound transmissions.
Wireless? OK, you say you don’t have them, but what’s to stop an employee from plugging one in? Rogue access point detectors should alert and shut down the port.
How about physical security? Servers installed in stores are the weakest link – I’ve found servers in closets, break rooms, and once, in the Gift Wrap department.
It’s much more expensive to retrofit that to install secure systems – but we are now paying the price.
One of my Rules of Thumb: You can pay now, or you can pay later, but if you pay later, you will always pay more.
I guess we’re paying more, don’t you?