Welcome!

Blog Feed Post

The Grinch Who Stole Christmas for Target’s Brand and Customers

creditcard

40 million card numbers stolen. Will your firm be the next target?

News broke last week that a major retailer was the victim of a massive theft of customer credit card data, in what is becoming an all too common cadence of data breaches.  Thieves made off with not just the credit card numbers, but also the CVV and expiration dates.  If you listen closely, you can probably hear the machines printing up counterfeit cards.  At this point there has been no precise confirmation of the attack vector used to collect the data – and the gory details may never be known, absent some government action and FOIA request.  But in light of what is likely one of the biggest data breaches in history it makes sense to reflect on some of the Payment Card Industry’s (PCI) best practices for protecting customer data.  PCI is more than just compliance but should be viewed as a catalyst to improve overall network defense and data protection.   In this first post we cover high-level PCI & PII practices that can make a difference- in subsequent posts we will decompose into more detail into how the Target Breach could have been prevented.

Protecting the Brand and the Business

The fallout for Target will surely be in the millions of dollars going beyond fines and reimbursements to consumers but to the damage done to the Target brand. Shoppers entrusted their confidence in Target’s information security practices. While Target is doing a good job of notifying customers of the steps they can take to protect their credit ratings, I have seen several shoppers thinking twice about using their credit cards while doing last-minute Christmas shopping — not just at Target but in other retailers and other industries. Undoubtedly customers are more wary than ever to give out credit card data unless they see that “good house keeping” seal of approval that a merchant has tested their POS and back end systems to the best of their ability. This mistrust will also spill over into e-commerce where consumers where already wary of giving out personal data.

PCI Tools for Credit Card Security

Just because a retailer is PCI compliant, that doesn’t mean they’re 100% secure.  But maintaining PCI compliance will reduce the likelihood of data theft – make it hard enough for an attacker and they will hopefully move on to a more vulnerable target.  Unfortunately the scale of compliance can be daunting for many organizations.  Considering the size of last week’s theft – some 40 million account numbers compromised – it’s clear that high-capacity, high-volume solutions are needed.  Many existing solutions haven’t kept pace with rate of technology changes, leading to implementers being overwhelmed attempting to rip and replace as they move more of their businesses online.

cash register

Remediation for legacy technologies can be challenging


There are six milestones in the Prioritized Approach to Pursue PCI DSS Compliance.  These are necessary but not sufficient for security.  Looking at these milestones, it’s clear that the Gateway Pattern can help a retailer (or anyone processing payment card or any other sensitive data) achieve compliance.  Furthermore, a gateway can allow faster remediation of legacy systems and applications because it can be inserted into the application stack without significant modification to these existing applications.  When new best practices are identified, they can be implemented quickly as well, without being mired in the bureaucracy and expense of custom implementations.  This is essential as companies are moving to the cloud for part or all of their transactions.  Here are some pointers on how a service gateway can shorten the path to PCI DSS compliance:

  • First, remove (i.e. redact) sensitive authentication data and limit data retention.  Thieves can’t steal what isn’t there.  Card verification numbers, PINs, and magstripe data tracks are not to be stored, as those will enable unauthorized use in more locations via card not present and ATM use.  With the increasing dependence on web services for transmitting data across systems and providers, the gateway pattern can help fulfill this requirement by redacting internal fields within a data object (e.g. JSON or XML), ensuring that it isn’t persisted or passed downstream to any application that doesn’t require it.
  • Second, protect the perimeter, internal, and wireless networks.  This becomes much more challenging in today’s distributed environments.  Many payment processing systems use private networks and firewalls to prevent unauthorized access.  However, card readers and cash registers are by necessity at the edge, publicly accessible – once a device inside the trusted network is compromised, it can be leveraged to gain additional access.  Going a step further, application-specific firewalls or gateways can provide additional network security, which feeds into the next requirement -
  • Third, secure payment card applications.  Application level security creates an additional internal perimeter to protect against larger-scale data breaches.  An application-specific firewall or gateway can provide an additional layer of security that protects against both external and internal attacks.  A content attack prevention policy, for example, can limit the spread of an attack that comes from a single compromised system.  By monitoring inbound traffic — even from trusted systems — a gateway can help to prevent a content attack such as a code injection masquerading as a valid call from a compromised payment system to a back-end web service or API.
  • Fourth, monitor and control access to your systems.  Entire books can (and have) been written on this topic, but I’ll highlight a few key benefits of a gateway pattern.  First, a multi-tenant gateway allows an organization to separate responsibilities by job function, meaning that a single person doesn’t need to be granted administrative access to every service.  Additional logging capabilities provided by the gateway can aid in early detection of malicious activity, alerting to suspicious traffic or other patterns that warrant attention.  The gateway can also securely sign the logs to ensure that they haven’t been tampered with.
  • Fifth, protect stored cardholder data.  This goes deeper than simply encrypting the volume where the data is stored.  With the move to cloud storage, data is stored in numerous locations – in replicas and application caches in addition to primary storage.  Best practices suggest using tokenization or record-level encryption to protect cardholder data.  For the credit card numbers themselves, tokenization provides an added benefit of a secure central vault that contains the mapping between card numbers and tokens that can safely be passed between applications.  Randomized tokens have no mathematical relationship to the original cardholder data, so systems that only access tokens are effectively removed from audit scope.  This means that the addition of the gateway layer actually reduces audit complexity and cost!
  • Finally, finalize remaining compliance efforts and ensure that controls are in place, including ongoing verification and maintenance of compliance posture.  This is where the gateway pattern (particularly when it includes tokenization) really shines — by attesting that downstream systems and services never touch cardholder data, the retailer can dramatically reduce the scope of work to be done.  Audit and verification costs time and money (best practices include using an outside specialist), so reduction in scope means less complexity and therefore much less cost.  In addition to the insurance against potential costs from a data breach, scope reduction can save millions of actual dollars in audit.

Summary

Thieves are getting savvy with their attempts to gather cardholder data on all fronts.  Attacks on retailers and banks, while difficult to pull off, present potentially enormous return on investment.  If successful, they also put a tremendous liability on any organization that doesn’t adequately protect their data.  Maintaining customer trust and brand reputation means being a good custodian of data – not just credit cards, but also names, email addresses, and any other personal information.  Gaining and maintaining PCI compliance is a good first step in protecting customer data, and with it the corporate brand.  Using best practices and tools to do so can accelerate the compliance process and reduce the overall cost of staying compliant.  A couple of resources that can help take the next step in using tokenization for PCI compliance:  a Tokenization Buyer’s Guide, and a QSA Security Assessor’s guide that explains how using a gateway for tokenization helps to remove systems from audit scope.

The post The Grinch Who Stole Christmas for Target’s Brand and Customers appeared first on Application Security.

Read the original blog entry...

More Stories By Application Security

This blog references our expert posts on application and web services security.

Latest Stories
SYS-CON Events announced today that Evatronix will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Evatronix SA offers comprehensive solutions in the design and implementation of electronic systems, in CAD / CAM deployment, and also is a designer and manufacturer of advanced 3D scanners for professional applications.
SYS-CON Events announced today that Synametrics Technologies will exhibit at SYS-CON's 22nd International Cloud Expo®, which will take place on June 5-7, 2018, at the Javits Center in New York, NY. Synametrics Technologies is a privately held company based in Plainsboro, New Jersey that has been providing solutions for the developer community since 1997. Based on the success of its initial product offerings such as WinSQL, Xeams, SynaMan and Syncrify, Synametrics continues to create and hone inn...
As many know, the first generation of Cloud Management Platform (CMP) solutions were designed for managing virtual infrastructure (IaaS) and traditional applications. But that's no longer enough to satisfy evolving and complex business requirements. In his session at 21st Cloud Expo, Scott Davis, Embotics CTO, explored how next-generation CMPs ensure organizations can manage cloud-native and microservice-based application architectures, while also facilitating agile DevOps methodology. He expla...
To get the most out of their data, successful companies are not focusing on queries and data lakes, they are actively integrating analytics into their operations with a data-first application development approach. Real-time adjustments to improve revenues, reduce costs, or mitigate risk rely on applications that minimize latency on a variety of data sources. In his session at @BigDataExpo, Jack Norris, Senior Vice President, Data and Applications at MapR Technologies, reviewed best practices to ...
"Evatronix provides design services to companies that need to integrate the IoT technology in their products but they don't necessarily have the expertise, knowledge and design team to do so," explained Adam Morawiec, VP of Business Development at Evatronix, in this SYS-CON.tv interview at @ThingsExpo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
DevOps promotes continuous improvement through a culture of collaboration. But in real terms, how do you: Integrate activities across diverse teams and services? Make objective decisions with system-wide visibility? Use feedback loops to enable learning and improvement? With technology insights and real-world examples, in his general session at @DevOpsSummit, at 21st Cloud Expo, Andi Mann, Chief Technology Advocate at Splunk, explored how leading organizations use data-driven DevOps to close th...
Digital Transformation (DX) is not a "one-size-fits all" strategy. Each organization needs to develop its own unique, long-term DX plan. It must do so by realizing that we now live in a data-driven age, and that technologies such as Cloud Computing, Big Data, the IoT, Cognitive Computing, and Blockchain are only tools. In her general session at 21st Cloud Expo, Rebecca Wanta explained how the strategy must focus on DX and include a commitment from top management to create great IT jobs, monitor ...
"WineSOFT is a software company making proxy server software, which is widely used in the telecommunication industry or the content delivery networks or e-commerce," explained Jonathan Ahn, COO of WineSOFT, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
In his Opening Keynote at 21st Cloud Expo, John Considine, General Manager of IBM Cloud Infrastructure, led attendees through the exciting evolution of the cloud. He looked at this major disruption from the perspective of technology, business models, and what this means for enterprises of all sizes. John Considine is General Manager of Cloud Infrastructure Services at IBM. In that role he is responsible for leading IBM’s public cloud infrastructure including strategy, development, and offering m...
Recently, WebRTC has a lot of eyes from market. The use cases of WebRTC are expanding - video chat, online education, online health care etc. Not only for human-to-human communication, but also IoT use cases such as machine to human use cases can be seen recently. One of the typical use-case is remote camera monitoring. With WebRTC, people can have interoperability and flexibility for deploying monitoring service. However, the benefit of WebRTC for IoT is not only its convenience and interopera...
No hype cycles or predictions of a gazillion things here. IoT is here. You get it. You know your business and have great ideas for a business transformation strategy. What comes next? Time to make it happen. In his session at @ThingsExpo, Jay Mason, an Associate Partner of Analytics, IoT & Cybersecurity at M&S Consulting, presented a step-by-step plan to develop your technology implementation strategy. He also discussed the evaluation of communication standards and IoT messaging protocols, data...
In a recent survey, Sumo Logic surveyed 1,500 customers who employ cloud services such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). According to the survey, a quarter of the respondents have already deployed Docker containers and nearly as many (23 percent) are employing the AWS Lambda serverless computing framework. It’s clear: serverless is here to stay. The adoption does come with some needed changes, within both application development and operations. Tha...
Product connectivity goes hand and hand these days with increased use of personal data. New IoT devices are becoming more personalized than ever before. In his session at 22nd Cloud Expo | DXWorld Expo, Nicolas Fierro, CEO of MIMIR Blockchain Solutions, will discuss how in order to protect your data and privacy, IoT applications need to embrace Blockchain technology for a new level of product security never before seen - or needed.
Recently, REAN Cloud built a digital concierge for a North Carolina hospital that had observed that most patient call button questions were repetitive. In addition, the paper-based process used to measure patient health metrics was laborious, not in real-time and sometimes error-prone. In their session at 21st Cloud Expo, Sean Finnerty, Executive Director, Practice Lead, Health Care & Life Science at REAN Cloud, and Dr. S.P.T. Krishnan, Principal Architect at REAN Cloud, discussed how they built...
Sanjeev Sharma Joins June 5-7, 2018 @DevOpsSummit at @Cloud Expo New York Faculty. Sanjeev Sharma is an internationally known DevOps and Cloud Transformation thought leader, technology executive, and author. Sanjeev's industry experience includes tenures as CTO, Technical Sales leader, and Cloud Architect leader. As an IBM Distinguished Engineer, Sanjeev is recognized at the highest levels of IBM's core of technical leaders.