Multi-Unit Franchisee Magazine Issue II, 2012 | Page 70
Security
By Gary Glover
Are You Leaking?
Securing customers’ credit card data
T
he cost of credit card data compromise has risen
nearly 70 percent since 2010 (Cost of Cyber Crime
Study, 2011). Often, payment card information found
by criminals is electronically just “laying around,” waiting to be discovered.
In a recent report released by SecurityMetrics (Merchant Data
Security Report, 2011), 71 percent of the 2,700 merchant systems
scanned had stored unencrypted card numbers. In all, more than
378 million card numbers were found on the systems tested. That
is more than 12 times the total amount of sensitive records publicly reported compromised during 2011.
The question you must consider is: Do you have unprotected
card data on your franchise point-of-sale or back office systems
waiting to be harvested and sold for fraudulent purposes?
As a Payment Card Industry (PCI) Qualified Security Assessor
(QSA), I conduct many onsite security assessments and continually
see problems that result in insecure data storage—even on very
sophisticated merchant or service provider systems. Because of this
continuing trend, the PCI Security Standards Council has clarified
(in version 2.0 of the PCI Data Security Standard, or PCI DSS)
that data discovery methodologies should be used at least annually.
The first step to conquering data loss is to know for sure where
card data is being used and if (and how) it’s being stored. This
can be especially important in franchise environments because
of the common practice of duplicating POS systems across many
merchant locations. If it’s bad at one location, it’s bad everywhere,
which increases the risk of card data loss or exposure.
What should I do?
The first thing is to get a good idea of where card data could be
lurking. Just like flotsam in a river gets caught in eddies, card data
can potentially be deposited on systems that may or may not be
directly involved in POS transactions. During the data discovery
phase, knowing where to look for potential data eddies is half
the battle.
The other half is finding, implementing, and using a good data
discovery tool that can identify card data in its various forms and
alert you to its location. Tools inlcuding CardRecon (GroundLabs),
Spider (Cornell University), and PANscan (SecurityMetrics), can
be used to search computer systems for data. Don’t forget to run
these search tools on your e-commerce web servers, old systems
historically dealing with card data, and in departments such as accounting, sales, and marketing.
Once you find unsecured card data, you need to figure out what
68
Multi-Unit Franchisee I ssue II, 2012
process caused it to be stored and determine if that process can
be fixed to avoid future problems. You then must securely remove
the unencrypted card data using a secure removal or wipe process.
(Hint: Don’t just use the delete key—it’s really not gone after that.)
Now that your processes and your systems are clean, you need
a program to keep them that way. Clear text (unencrypted) credit
card data has a way of cropping up again where you don’t expect
it to be. You must define and follow a process of periodic data discovery cycles (at least annually) to recheck systems and make sure
they remain free of unprotected card information.
Security tips from a QSA
Good data discovery and secure data flow practices are a very important part of your overall PCI DSS compliance effort. Here are
more tips that may help:
• Avoid the temptation to use a single computer for both POS
transactions and other office work. This is especially common in
smaller franchise locations where there is a desire to reduce cost.
It is virtually impossible to be PCI DSS compliant and take POS
card transactions on a system with multiple uses (e-mail, browsing, document generation, etc.). Separate these functions and segment the network.
• Be thorough when selecting an IT infrastructure/support
partner. I see many cases where support partners are weak in data
security experience (PCI DSS compliance) and replicate bad architectures throughout a franchise system. They often attempt to support franchises and single merchants using the same technologies.
• Put someone in charge of overall security and PCI DSS compliance at your franchise, and give them the power to get things done!
• The PCI DSS requirements are a fantastic collection of data
security guidelines based on industry best practices. Get familiar
with the standards and use them.
• Check out the “The Prioritized Approach to PCI DSS Compliance” on the PCI Security Standards Council website. It is a
great way to approach your compliance efforts. (https://www.pcisecuritystandards.org/documents/Prioritized_Approach_V2.0.pdf)
• Keep your stick on the ice, and don’t give up!
Gary Glover is director of security assessment at SecurityMetrics and holds QSA, PA-QSA, CISSP, and CISA
certifications. He began his career