BEST OF THE WEB

When meeting the IT security standard isn’t enough

There’s a price to be paid for organizations that aren’t on the leading edge of security — they usually get caught.

That’s the lesson from an incident a Canadian penetration tester ran into while probing the system of a retailer here, outlined by PC World. He was able to gain remote access to the store’s systems and download some data from the point of sale system — including his own credit card number.

It was the same hole that attackers have used to recently exploit the systems of retailers including Target and others by RAM scraping.

The problem is not that the retailer wasn’t following best practices as set by the Payment Card Industry (PCI) in its latest Data Security Standard (PCI-DSS 3.0). Retailers accepting credit cards have to meet the standard, which includes data encryption. Apparently a configuration mistake led to the opening. Otherwise it had solid security.

But it didn’t have what the industry calls point-to-point encryption of data, from the time a credit card is swiped. That would have prevented anyone gaining access to the data in RAM from making use of it. However, point to point encryption isn’t mandated by PCI-DSS 3.0.

Last week the PCI recommended retailers go beyond seeing compliance with its standard as a once-a-year event for auditors. Instead it should be  treated as a 365-day a year obligation emphasizing security, not just complying with its rules.

Encrypting data at rest isn’t good enough any more. Regardless of whether your industry’s best practice calls for it or not, end to end encryption of personal and financial data is the gold standard of security — whatever the cost.

Read the original story here

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web