Debunking the PCI Myth
There is no end in sight, and there never will be—not when it comes to securing payment transactions and consumer data. Regulatory agencies and emerging technologies attempt to make breaches more difficult, but the higher the bar is raised, the higher tech-savvy hackers learn to jump.
Were any of us completely surprised to learn that a PCI-compliant retailer was breached? Not really. In fact, most industry analysts and security professionals would say it was just a matter of time—and given the speed of emergent technologies, there’s been a lot of time since the payment card industry (PCI) data security standard (DSS) was last updated on Dec. 31, 2006.
The 12 requirements outlined in the PCI DSS are a great starting point, but that would be all. Putting a dead bolt on your doors and installing a home-security system are logical precautionary measures, but a stealthy, sophisticated criminal could still find a point of entry. The same holds true for your secured networks and payment systems.
Certainly that was one of the lessons Hannaford Bros., Scarborough, Maine, learned when more than 4.2 million debit and credit accounts were breached through the PCI-compliant Hannaford network. Within days, Advance Auto Parts, Roanoke, Va., and Okemo Mountain Resort, Ludlow, Vt., had also reported breaches.
Ben Edwards, a systems consultant with Peak Technologies, Columbia, Md., agreed that PCI compliance is the best first step, but cautioned, “There is no such thing as a totally hacker-proof system and anyone who implemented the minimum security to be compliant with PCI DSS regulations is quite vulnerable today because technology moves so quickly.”
Among his suggestions: Maintain constant vigilance, have multiple layers of security, and stay up-to-date on the latest safeguards, which likely means going beyond the rules of regulatory compliance.
For instance, wireless networks, potentially an Achilles’ heel for virtually every retailer, are much more prevalent now than in 2006 when the PCI DSS regulations were last updated.
However, most retailers believe they have taken all the necessary precautions if they are PCI-compliant. When retailers describe secure payment systems, the first thing they tell me is that they are PCI-compliant; the second thing is that the data is encrypted.
Trusting encryption to be your silver bullet against hackers is probably as naive as thinking PCI compliance in and of itself makes the network secure. As Edwards explained, the PCI DSS requirement calls for encryption keys to be rotated quarterly. However, if encryption keys are only rotated quarterly, that would give a hacker three months to break the code and breach a system.
“For the retailers I work with,” Edwards noted, “I set up a minimum of a daily rotation on encryption keys, typically every 8 to 12 hours. At least then the hackers have to start over every few hours to break the code.”
Setting a system to rotate encryption keys on a more frequent basis could be as simple as loading new firmware, he advised—something that can be done in a matter of minutes and for minimal cost.