Are You Leaking?: Securing Customers' Credit Card Data

The cost of credit card data compromise has risen nearly 70 percent since 2010 (Cost of Cyber Crime Study, 2011). Often, payment card information found by criminals is electronically just "laying around," waiting to be discovered.

In a recent report released by SecurityMetrics, (Merchant Data Security Report, 2011), 71 percent of the 2,700 merchant systems scanned had stored unencrypted card numbers. In all, more than 378 million card numbers were found on the systems tested. That is more than 12 times the total amount of sensitive records publicly reported compromised during 2011.

The question you must consider is: Do you have unprotected card data on your franchise point-of-sale or back office systems waiting to be harvested and sold for fraudulent purposes?

As a Payment Card Industry (PCI) Qualified Security Assessor (QSA), I conduct many onsite security assessments and continually see problems that result in insecure data storage--even on very sophisticated merchant or service provider systems. Because of this continuing trend, the PCI Security Standards Council has clarified (in version 2.0 of the PCI Data Security Standard, or PCI DSS) that data discovery methodologies should be used at least annually.

The first step to conquering data loss is to know for sure where card data is being used and if (and how) it's being stored. This can be especially important in franchise environments because of the common practice of duplicating POS systems across many merchant locations. If it's bad at one location, it's bad everywhere, which increases the risk of card data loss or exposure.

What should I do?

The first thing is to get a good idea of where card data could be lurking. Just like flotsam in a river gets caught in eddies, card data can potentially be deposited on systems that may or may not be directly involved in POS transactions. During the data discovery phase, knowing where to look for potential data eddies is half the battle.

The other half is finding, implementing, and using a good data discovery tool that can identify card data in its various forms and alert you to its location. Tools inlcuding CardRecon (GroundLabs), Spider (Cornell University), and PANscan (SecurityMetrics)), can be used to search computer systems for data. Don't forget to run these search tools on your e-commerce web servers, old systems historically dealing with card data, and in departments such as accounting, sales, and marketing.

Once you find unsecured card data, you need to figure out what process caused it to be stored and determine if that process can be fixed to avoid future problems. You then must securely remove the unencrypted card data using a secure removal or wipe process. (Hint: Don't just use the delete key--it's really not gone after that.)

Now that your processes and your systems are clean, you need a program to keep them that way. Clear text (unencrypted) credit card data has a way of cropping up again where you don't expect it to be. You must define and follow a process of periodic data discovery cycles (at least annually) to recheck systems and make sure they remain free of unprotected card information.

Security tips from a QSA

Good data discovery and secure data flow practices are a very important part of your overall PCI DSS compliance effort. Here are more tips that may help:

• Avoid the temptation to use a single computer for both POS transactions and other office work. This is especially common in smaller franchise locations where there is a desire to reduce cost. It is virtually impossible to be PCI DSS compliant and take POS card transactions on a system with multiple uses (e-mail, browsing, document generation, etc.). Separate these functions and segment the network.
• Be thorough when selecting an IT infrastructure/support partner. I see many cases where support partners are weak in data security experience (PCI DSS compliance) and replicate bad architectures throughout a franchise system. They often attempt to support franchises and single merchants using the same technologies.
• Put someone in charge of overall security and PCI DSS compliance at your franchise, and give them the power to get things done!
• The PCI DSS requirements are a fantastic collection of data security guidelines based on industry best practices. Get familiar with the standards and use them.
• Check out the "The Prioritized Approach to PCI DSS Compliance" on the PCI Security Standards Council website. It is a great way to approach your compliance efforts. (https://www.pcisecuritystandards.org/documents/Prioritized_Approach_V2.0.pdf)
• Keep your stick on the ice, and don't give up!

Gary Glover is director of security assessment at SecurityMetrics and holds QSA, PA-QSA, CISSP, and CISA certifications. He began his career at McDonnell Douglas developing AI and expert systems for rocket and propulsion systems. He spent nearly 10 years in software engineering and is the author of two U.S. patents.