As evidenced by recent retailer data breaches and as stated in a recent Bloomberg Businessweek write-up, “It turns out the accreditation by PCI doesn’t always offer much protection against fraud.” My colleague Mora Gozani made a similar observation, and I couldn’t agree with her more.
A case in point is that Neiman Marcus claimed it had met PCI standards when it revealed in January 2014 that customer cards may have been compromised from July to October 2013. Despite retailers, banks and other enterprise organizations taking measures to demonstrate compliance, it isn’t enough. What they really need to consider is whether and to what extent they are enforcing employees, partners and customers to practice safe business practices with regards to securing sensitive data both physically and virtually.
In a physical environment, such as a brick-and-mortar store, employees, dedicated security personnel, and perhaps even Web cameras should keep a watchful eye on visitors who may be tinkering in unexpected ways with Point-of-Sale (POS) systems. This is especially challenging nowadays because many stores, including Target, are providing consumers the convenience of self-checkout—the drawback being that cashiers aren’t physically present to more easily monitor and control these systems.
In a virtual environment, such as a Security Operations Center, the IT security team should use a strong SIEM, such as Secure Analytics. Secure Analytics can synthesize isolated events from multiple sources (both security devices and network devices) to detect any anomalous behavior taking place on the network, as well as automatically notify the team. Once alerted, the team should immediately contact a law enforcement agency about a possible breach. While this may occasionally lead to false alarms, it’s better to be safe than sorry, and will ultimately lower the risk of losing both business and customer credibility.
If we could leverage automated tools alone without any human intervention to detect and prevent crime, it would be revolutionary, to say the least. Until then, let’s do our part and go beyond just checking off boxes in the PCI DSS requirements list.