There’s a price to be paid for organizations that aren’t on the leading edge of security — they usually get caught.
That’s the lesson from an incident a Canadian penetration tester ran into while probing the system of a retailer here, outlined by PC World. He was able to gain remote access to the store’s systems and download some data from the point of sale system — including his own credit card number.
It was the same hole that attackers have used to recently exploit the systems of retailers including Target and others by RAM scraping.
The problem is not that the retailer wasn’t following best practices as set by the Payment Card Industry (PCI) in its latest Data Security Standard (PCI-DSS 3.0). Retailers accepting credit cards have to meet the standard, which includes data encryption. Apparently a configuration mistake led to the opening. Otherwise it had solid security.
But it didn’t have what the industry calls point-to-point encryption of data, from the time a credit card is swiped. That would have prevented anyone gaining access to the data in RAM from making use of it. However, point to point encryption isn’t mandated by PCI-DSS 3.0.
Last week the PCI recommended retailers go beyond seeing compliance with its standard as a once-a-year event for auditors. Instead it should be treated as a 365-day a year obligation emphasizing security, not just complying with its rules.
Encrypting data at rest isn’t good enough any more. Regardless of whether your industry’s best practice calls for it or not, end to end encryption of personal and financial data is the gold standard of security — whatever the cost.