Counter-Measures: Protecting Your Customers' Credit Card Data

You may not know it yet, but you are at war. An unprecedented battle rages over what you are entrusted to protect: your customer's credit card data. Your IT infrastructure is the last line of defense between you and a powerful enemy composed of a myriad of attackers with finely honed hacking skills, backed by organized crime. At the center of the fight today are multiple-franchise merchants. Visa corroborates this in stating that up to 97 percent of data compromises are suffered by smaller merchants and "specifically franchisees." The possibility of gaining access to a multiple-franchise network is a tempting prize, and attackers are relentless in their efforts to obtain customer credit card data.

Recent experience confirms that hackers are increasingly exploiting a common potential vulnerability, giving them unrestricted access to your system through your own remote access application. Remote access applications are not inherently vulnerable, but when weakly configured it's the equivalent of locking the gates to the city with a paperclip.

Beware: If you can access your systems remotely simply by entering the correct username and password, a hacker can wage a "brute force" attack and reveal your login credentials. Once inside your network, attackers are free to create their own administrative credentials, install malware designed to capture or record credit card transactions and cardholder data, and export it out of your network--leaving few traces of their actions. Payment Card Industry Data Security Standards (PCI DSS) require a secondary authentication factor before remote access is granted. Known as two-factor authentication, a typical yet effective "second factor" could require having to call into the merchant location and be granted access by an onsite manager.

On the perimeter

If hackers cannot breach your remote access security, their next target will be your perimeter security, namely your firewall. Many smaller merchants and franchisees who have been compromised had a poorly configured firewall that failed to restrict communication in and out of the cardholder environment to known, trusted sources--or no firewall at all. Cardholder data should be protected not only by a robust firewall, but must also be further secured inside a safe zone within your network, firewalled off from untrusted sources outside the perimeter firewall and secured from all other Internet traffic inside the merchant environment. The ideal scenario would have all aspects of the credit card payment application on a separate network, firewalled off from all other day-to-day business activities.

Once you harden your remote access and segment your payment application from the rest of your business Internet traffic, you still need to protect yourself... from yourself. In a multiple franchise scenario, owners or chief technology officers may be tempted to establish a network configuration that caters to the ease of doing business, such as each locale maintaining direct connectivity to a corporate server and protected by a single firewall or intrusion detection system. If an attacker gains access to one of your merchant sites, such "convenient" network configurations will allow a hacker to migrate the attack to other merchant sites, or to your corporate site. Depending on the number of units in your franchise portfolio, consider giving each site greater network independence, while, for example, maintaining corporate communication through on-demand VPNs (virtual private networks).

If hackers consistently employed the same attack methodology, a single line of defense would defeat them. However, their attacks have become increasingly sophisticated. As credit card payment applications stopped storing unencrypted credit card data, attackers installed keyloggers and memory scrapers that capture cardholder (and magnetic stripe) data the moment it enters the system. In the past, hackers seemed unconcerned about leaving evidence of their thefts on a compromised system. More recently, there is a substantial increase in the likelihood attackers will cover their tracks by securely deleting the malware after a specified period and encrypting the stolen data.

Other essential counter-measures include using a payment application that is compliant with the Payment Application Data Security Standards (PA-DSS); specifically, maintaining robust, up-to-date antivirus applications (preferably more than one), regularly employing security patches and updates, enabling system logging, and reviewing system logs regularly for indications of attempted attacks. In short, full PCI DSS compliance is the most comprehensive course of action a franchisee can take to ensure the security of their customer credit card data.

Today's hackers claim a variety of ethical rationales for why they attempt to compromise computer systems. Many say their actions are ultimately beneficial for the compromised company, as their illicit incursions motivate the victimized company to enhance its IT security. While the morality of hacking is an interesting debate for another venue, there is no debate over the motives of attackers who target customer credit card data. They are out for cash, and they do not care who gets hurt in the process. While the official tally has not been released, government agencies estimate that, in 2010, organized crime worldwide netted more money through Internet-based crimes than from the sales of illegal narcotics--a truly sobering reality, and evidence that this is a fight we will battle well into the future.

David Ellis is director of forensic investigations for SecurityMetrics, a leading provider of PCI-DSS security solutions. Contact him at 801-724-9600 or visit www.securitymetrics.com.