Next >>

darkreading.com

NOVEMBER 2012

Previous Next

Previous Next

DownloadDownload

RegisterRegister

SubscribeSubscribe

Previous Next

Previous Next

November 2012 2darkreading.com

I admit it: I’m a pack rat. I save everything. Istill have notes from stories I wrote in the1990s. I have clothes I wore in junior high. Ihave my toy soldiers.

Why do people save this stuff? Because younever know when you’re going to need it. If Iever need 10 boxes of 9-by-12 envelopes, I’vegot ‘em. If I ever need a directory of securityvendors from 2009, I’ll just pull it out. If floppydisks come back, you know who to call.

Unfortunately, a lot of businesses behavethis way, and that’s bad news.

Businesses are loath to throw away data—particularly customer data. They hang on toold and moldy data, thinking someday they’llmine it for sales leads, buyer analysis, or otherbusiness intelligence. Paying customers arehard to find so when you have their data, youdon’t let it go easily.

However, old customer data also is a risk.Such records can contain credit card, banking,and other personal data. Some old data con-tains personally identifiable information—such as Social Security or credit card num-

bers—that previously were used as customeridentifiers. If any of this data is compromised, itwould mean a major breach for your company.

Old customer data is sometimes stored in ap-plications or on servers that aren’t getting thepatches and other security updates that currentsystems get. And some old data may be storedon servers or in applications that your companyhas forgotten about and isn’t protecting.

The Real RiskSuch data is a treasure trove for hackers and

political activists. Not only can it be used orresold for nefarious purposes, but compromisedcustomer data will make your company lookbad, forcing it to disclose the breach to the au-thorities. A breach also can mean loss of compli-ance with industry standards such as the Pay-ment Card Industry Data Security Standard,incurring additional penalties and even the rev-ocation of your credit card processing privileges.

The lesson here is simple: If you’ve got old,sensitive data, store it in a secure, encryptedlocation or erase it entirely.

Security people talk constantly about waysto store and use live data safely, but theyhardly ever talk about disposing of old datathat’s no longer in use. There have beenmany instances of hackers or researchers ex-posing sensitive data on old hard drives,even those sent to a recycler. In other in-stances, cybercriminals have dug throughold customer lists or databases and har-vested enough data to penetrate a com-pany’s more current information systems. Inmany ways, end-of-life data security issuescan be as serious as those surroundingnewly created data.

In my neighborhood, being a pack ratmakes me quirky and colorful. But in yours, itputs you at risk for a major breach and be-coming the next headline. Take a look at thoseold servers, applications, and databases: Youmay find there’s plenty of information therethat you can do without.

Tim Wilson is editor of DarkReading.com. Write to him at wilson@darkreading.com.

The High Stakes Of Data Hoarding

DARK DOMINION

TIM WILSON

RegisterRegister

Avoid The Holiday Blues

The holiday season is one of thefavorite times of the year for online criminals. Our webcast willhelp you get ahead of holidayhackers by taking some proactivesteps. It happens Nov. 8.

Previous Next

November 2012 3darkreading.com

COVER STORY

Whether they’re brick-and-mortar or online, merchantsfind the Payment Card Industry’s requirements for pro-tecting credit card data challenging and confusing. But all retailers must understand how to protect the

credit card and other customer data that comes fromonline transactions, because their businesses are in cy-bercriminals’ crosshairs. Retailers are the second lead-ing source of leaked data (after the hospitality indus-try), accounting for 20% of total breaches, according toVerizon’s 2012 Data Breach Investigations Report. Andthough the U.S. Census Bureau reports that e-com-

Help for online retailers stuck in a maze of e-businesssecurity and PCI compliance requirements

By Robert Lemos

Previous Next

merce transactions account for only about5% of the retail economy, they’ve steadilygrown every year.“It’s an interesting world out there, and a

very scary world for a merchant, because fromday one, you’re a target,” says John South,chief security officer for payment processorHeartland Payment Systems.Many of the retailers playing in this scary

online world are small businesses, andthey’re the most vulnerable: Nearly 95% ofbreaches happen to merchants with 100 em-ployees or fewer, according to the Verizon re-port. They don’t have the dedicated securityand risk management teams larger busi-nesses have. “We aren’t seeing a lot of large-scale

breaches. We’re seeing much smallerbreaches,” says Bob Russo, general managerof the PCI Security Standards Council, the gov-erning body for PCI’s Data Security Standard(PCI DSS). “These standards are right on targetfor the big guys with the big security depart-ments, ... but we have to find out a way tomake it easier for the smaller merchants.”Online retailers have one big security re-

quirement that the 100% brick-and-mortarcorner store doesn’t have: card-not-presenttransactions. Because customers don’t physi-

cally hand over their credit cards for onlinepurchases, payment processors require all on-line merchants to submit to a quarterly net-work scan by an approved security vendor.Such scanning is designed to detect vulnera-bilities and misconfigurations. Many online retailers aren’t aware of this

and other PCI requirements and how to deal

with them, but simple steps can make a bigdifference when it comes to protecting cus-tomer data. The Verizon study found that 96%of victims of successful attacks had failed tocomply with the PCI rules they were subjectto, and 97% of breaches could have been pre-vented through simple or intermediate secu-rity controls.The following 10 steps will help your com-

pany institute the controls needed to securecardholder data and meet PCI’s requirements.

1. Know Your InfrastructureOnline merchants must worry about the de-

gree to which their online retail systems inte-grate with their day-to-day business networks.Start by assessing your infrastructure to deter-mine which systems handle transaction andcardholder data. Network scanning and log analysis can help

identify which systems have access to carddata, says Greg Rosenberg, a qualified securityassessor with managed security providerTrustwave. These systems are the ones thatyou’ll want to subject to PCI DSS.“There are a lot more attack vectors—a lot

more systems—that we find and can identifyvulnerabilities in than customers knowabout,” Rosenberg says.Get a qualified security assessor involved, he

says. ”I’m not looking for who can get me

November 2012 4darkreading.com

COVER STORYSECURING WEB DATAPrevious Next

Stay Safe

Our Security Monitoring TechCenter is your portal to all thenews, product information, technical data, and best practicesrelated to the monitoring of IT security events and status.

Click HereClick Here

Data: Verizon’s “2011 Payment Card Industry Compliance Report”

Percentage of companies that passed the three most difficult PCI requirements last yearThe Hard Part

Protect stored data

Maintain a policy that addresses information security

Regularly test security systems and processes

42%

39%

37%

through my audit really quickly, but who canhelp me understand my risk,” Rosenberg says.“I would rather significantly reduce my riskposture than quickly pass PCI.”

2. Find The DataCompanies save card data for three main

reasons: to better handle customer service re-quests, to allow easy reuse of credit cards, andto handle chargebacks, according to thePonemon Institute’s 2011 PCI DSS Compli-ance Trends Study. “We still have way toomany companies using credit card numbersas the primary identifier for their customers,”says Martin McKeay, a security evangelist atInternet services company Akamai.Whatever the reasons for hanging on to

customer data, companies should hunt downevery instance on their systems, whether onWeb servers, in a customer ser vice ap pli -cation, or on a sales associate’s laptop. Dis-cover where the data resides, who has ac -cess to it, and whether they need the infor-mation at all.Marketing types, for instance, want to save

everything, “because someday they might use the data to send someone a coupon,” says PCI SSC’s Russo. “If you don’t need thedata, don’t store it.”

3. Have Fewer Data-Handling Systems All systems that have access to the transac-

tion data or card data at rest fall under the PCIDSS, and they’re an expensive part of any as-sessment. So it makes sense to segment offparts of the network—and the employees in-volved with those parts of the network—fromaccess to card data. This approach reduces thenumber of systems that fall within the scopeof PCI requirements, increases security, and

cuts compliance costs. “Being able to chop offbig chunks of your infrastructure and saying ithas nothing to do with processing transac-tions—that’s a big help,” says Chris Eng, VP ofVeracode, an application security company.

A key part of this approach is to log transac-tions without logging the credit card numbers.“Logging is absolutely essential, and peopledon’t do enough of it,” says Jerry Hoff, VP ofstatic-code analysis at WhiteHat Security, a Webapplication security provider. “But make surethat the sensitive data itself isn’t logged.”

4. Get Rid Of The DataOnline merchants can outsource their pro-

cessing infrastructure, letting a third party han-dle all payment processing details and take onmuch of the responsibility—if not liability—forthe data. ”If your store sells snowboards online,then securing credit card data isn’t somethingthat you should have to focus on,” Hoff says. Companies that don’t hold onto card data

tend to take security more seriously and sufferfewer breaches, says the Ponemon Institute. Ina survey of 670 U.S. and multinational IT man-agers, it found that 85% of companies thatdidn’t retain primary cardholder data didn’tsuffer a breach over a two-year period. Only40% of companies that retained data sufferedno breach in that same time period.One piece of data that the business should

never retain, although many do: the card verifi-cation value, or CVV, code. “They see it as a wayto increase the likelihood that the transaction

November 2012 5darkreading.com

COVER STORYSECURING WEB DATAPrevious Next

Data: Trustwave’s “2012 Global Security Report” on 300 breaches

In transit

Storeddata

Data redirection

Hybrid

Where Stolen Data Comes From

63%

28%

5% 4%

63%

28%

5% 4%

will be approved,” Trustwave’s Rosenberg says,“but the problem is that you aren’t supposed tohave that data after the transaction has cleared.” Getting rid of the data reduces the PCI bur-

den tremendously. Rather than having to com-ply with all 12 requirements, you can narrowyour focus to two requirements: blocking ac-cess to data (requirement nine) and maintain-ing a policy that addresses information secu-rity (requirement 12). You still must check your store for compli-

ance and fill out a self-assessment question-naire, but the overall effort is less onerous,Heartland’s South says.Just segmenting the network and minimizing

retention of card data won’t make your com-pany PCI compliant, says Evan Tegethoff, a PCIsolutions architect with security services firm Ac-cuvant. No merchant can ever eliminate thescope of PCI requirements, but it can reducethem. If a third party is handling your company’sdata, you’re still responsible for confirming thatthe third party is protecting the information. The same goes for technology. Buying a PCI-

compliant data protection product won’t au-tomatically make your company PCI-compli-ant. “Merchants frequently think, ‘Let me gobuy something that’s PCI-compliant, and thenI’m done,’ ” PCI SSC’s Russo says. Data security

technology must be adjusted to a company’sneeds and monitored to ensure that it’s pro-tecting all of the right data.

5. Check Out PartnersMerchants that outsource to a service pro -

vider but retain some ability to check transac-tions are less likely to reduce the scope oftheir PCI compliance, says Troy Leach, CTO atPCI SSC. “The challenge is that there is typi-cally some sort of access to that cardholderdata,” Leach says. “If there is, that brings theirentire environment back into scope.”You’ll also want to gather information on

your partners’ PCI compliance. Managed ser -vice providers handle a lot of card data, makingthem attractive to attackers. Third parties ad-ministered 76% of systems that were breachedlast year. And when a breach happens, the lia-bility generally rests with the merchant. Ask for documentation of a third party’s PCI

compliance status, including a self-assess-ment questionnaire.Key areas to be aware of: >> Hosting services must comply with PCI

and, in particular, have a vulnerability remedi-ation process in place, including timely patch-ing and updating of their server software.>> Any payment application used as the trans-

action engine for a store should comply with a

separate set of standards: the PCI Payment Ap-plication Data Security Standard. A compliantprogram needs to, among other security meas-ures, log transactions, not store full mag-stripedata, provide secure authentication, and en-crypt all communications over public networks.

>> Web application scanning vendors mustqualify as PCI-compliant to be listed as com-pliant on the pcisecuritystandards.org site.

6. Use Secure SoftwareCredit card data is handled most often by

software, not people, so make sure you’re us-ing secure software. A few years ago, companies that had to com-

ply with PCI’s requirement for the developmentand maintenance of secure applications onlyhad to make sure their software eliminated theOpen Web Application Security Project’s top 10vulnerabilities. Those requirements became

November 2012 6darkreading.com

COVER STORYSECURING WEB DATAPrevious Next

PCI PREVENTS BREACHES

64%

38% of noncompliant companies werebreach free

Data: Ponemon Institute’s “2011 PCI DSS Compliance Trends Study”

of PCI-compliant companies had nocardholder data breach in last two years

more stringent last year, when PCI SSC changedthe language to include other collections of vul-nerabilities, such as the SANS top 25 most dan-gerous software errors. No wonder companies have trouble keep-

ing up, says Veracode’s Eng. Online companieshave problems securing their sites againstSQL injection and cross-site scripting, the toptwo threats on the SANS list, never mind theother 23 issues.

7. Protect The Web ServerThe critical part of an online retailer’s oper-

ation is the care and maintenance of its Webserver and online store. The quarterly scanthat e-commerce vendors must submit to canfind security vulnerabilities. In addition, underPCI, software must be kept up to date and crit-ical flaws patched within 30 days. That may betoo long.Merchants can use one of three strategies to

protect their online stores and comply withPCI: Scan code for vulnerabilities and fix anyproblems as part of development; dynami-cally scan the website to identify and patchvulnerabilities; or use a Web application fire-wall to block attacks. But just having a WAF is-n’t enough. It must be configured correctly.“They tend to be configured very, very le-

nient,” Eng says. “Many companies run themin a mode that never blocks a request.”Companies also must think like attackers. A

cross-site scripting attack, for instance, lets anattacker inject content onto a vulnerablewebsite to make it appear to come from thatsite. A cross-site scripting attack may not di-rectly compromise a merchant’s website, butattackers can use the technique to redirectcustomers to a lookalike site from which theycan collect card data.“If I’m a hacker and I can redirect you to a

website, what prevents me from redirectingyou to my bad site?” says Trustwave’s Rosen-berg. E-commerce vendors must find thesevulnerabilities during development or a secu-rity scan and fix them. Alternatively, use a WAFto block these attacks, he says.

8. Authorized Users OnlyThree PCI requirements deal with authoriza-

tion. Restricting physical access to cardholderdata may be the easiest one to comply with.While a brick-and-mortar store has to educateand monitor cashiers who handle credit cardsevery day, e-commerce employees never see anactual card. Yet an online retailer may have aharder time restricting access to card data, be-cause so many employees have legitimate ac-

cess to the systems that handle the data.Employees and partners may also inadver-

tently weaken your company’s data accesspolicies by choosing poor passwords. Awhopping 80% of breaches are caused by theuse of weak or default administrator creden-tials, Trustwave said in its 2012 Global SecurityReport. In many cases, a third-party providerused the same password or a simple variantacross many of its clients; a breach of onebusiness led to the breach of all.

9. Encrypt, And Don’t Lose The KeysFor companies that keep cardholder data,

that data must be encrypted when stored andtransmitted. It’s all about turning cardholderdata from gold data that attackers want intoworthless straw that they can’t access, saysMark Bower, VP of data security firm Voltage.Techniques that encrypt transaction data

and return a token, which is similar to a creditcard number, to unencrypt the data are pop-ular with merchants. By using end-to-end en-cryption, you cut down the number of PCI re-quirements and reduce the impact ofbreaches, because with tokenized data, evenif attackers get the information, it doesn’t con-stitute a breach, Bower says.But encryption doesn’t solve all of your

November 2012 7darkreading.com

COVER STORYSECURING WEB DATAPrevious Next

problems. Many large breaches have happened be-cause thieves were able to get the decryption key.

10. Don’t Become A Check Box CulturePCI isn’t the be-all and end-all of information security.

It’s an “absolute bare-bones requirement,” Hoff says.“It’s like the sign that says ‘No Running’ by the pool. Itdoesn’t mean you aren’t going to have an accident.”Businesses should worry about threats beyond

those covered by the PCI DSS. Attackers could useHTML injection, for example, to make Google’s page-ranking bots see links in a merchant’s site that aren’tnormally there. The result: An online retailer’s sitecould be used to raise the page rankings of maliciouswebsites. “You need to ask in this environment: Howcould I be attacked?” says Trustwave’s Rosenberg.Most important, online merchants must understand

that to keep their customers, they must protect theircustomers’ data, says Heartland’s South. “Their basicobligation is that they have to protect their client’stransaction. And that really has nothing to do withPCI. PCI is just a tool to get there.”More help is on the way: PCI SSC has an interest

group developing guidelines for e-commerce secu-rity. Its initial report, due by December, should go along way toward assisting all retailers in securingtheir customers’ data.

Write to us at editors@darkreading.com .

darkreading.com

COVER STORYSECURING WEB DATAPrevious Next

November 2012 9

Online, Newsletters, Events, ResearchREADER SERVICES

DarkReading.com The destination for the latest news on IT security threats, technology, and best practices

Electronic Newsletters Subscribe to Dark Reading’s daily newsletter and other newsletters at darkreading.com/newsletters/subscribe.jhtml

Events Get the latest on our live events and Netevents at informationweek.com/events

Reports reports.informationweek.comfor original research and strategic advice

How to Contact Us darkreading.com/aboutus_editorial.jhtml

Editorial Calendar informationweek.com/edcal

Back IssuesE-mail: customerservice@informationweek.comPhone: 888-664-3332 (U.S.) 847-763-9588 (Outside U.S.)

Reprints Wright’s Media, 1-877-652-5295Web: wrightsmedia.com/reprints/?magid=2196E-mail: ubmreprints@wrightsmedia.com

List Rentals Specialists Marketing Services Inc.E-mail: PeterCan@SMS-Inc.com Phone: (631) 787-3008 x30203

Media Kits and Advertising Contactscreateyournextcustomer.com/contact-us

Letters to the Editor E-mail editors@darkreading.com. Include name, title, company, city, and daytime phone number.

SubscriptionsWeb: informationweek.com/magazineE-mail: customerservice@informationweek.comPhone: 888-664-3332 (U.S.) 847-763-9588 (Outside U.S.)

darkreading.com

Tim Wilson Dark Reading Site Editorwilson@darkreading.com 703-262-0680

Kelly Jackson-Higgins Dark Reading Senior Editorhiggins@darkreading.com 434-960-9899

Previous Next

Chief Sales Officer, TechWeb Media, Martha Schwartz(212) 600-3015, mschwartz@techweb.com

Sales Assistant, Salvatore Silletti(212) 600-3327, ssilletti@techweb.com

SALES CONTACTS—WEST Western U.S. (Pacific and Mountain states) and Western Canada (British Columbia, Alberta)

Western Regional Sales Director, Kevin Bennett(415) 947-6139, kbennett@techweb.com

Strategic Account Director, Coretta Wright(415) 947-6245, cwright@techweb.com

District Manager, Jeremy Cotton(415) 947-6237, jcotton@techweb.com

Account Manager, Ashley Cohen(415) 947-6349, aicohen@techweb.com

Strategic AccountsAccount Director, Sandra Kupiec (415) 947-6922, skupiec@techweb.com

SALES CONTACTS—EAST Midwest, South, Northeast U.S. and Eastern Canada(Saskatchewan, Ontario, Quebec, New Brunswick)

District Manager, Jenny Hanna(516) 562-5116, jhanna@techweb.com

District Manager, Michael Greenhut (516) 562-5044, mgreenhut@techweb.com

District Manager, Cori Gordon (516) 562-5181, cgordon@techweb.com

Inside Sales Manager East, Ray Capitelli (212) 600-3045, rcapitelli@techweb.com

Strategic AccountsDistrict Manager, Mary Hyland (516) 562-5120, mhyland@techweb.com

Account Manager, Tara Bradeen (212) 600-3347, tbradeen@techweb.com

SALES CONTACTS—MARKETINGAS A SERVICE Director of Client Marketing Strategy, Jonathan Vlock(212) 600-3019, jvlock@techweb.com

Director of Client Marketing Strategy, Julie Supinski(415) 947-6887, jsupinski@techweb.com

SALES CONTACTS—EVENTS Senior Director, InformationWeek Events, Robyn Duda(212) 600-3046, rduda@techweb.com

MARKETING VP, Marketing, Winnie Ng-Schuchman(631) 406-6507, wng@techweb.com

Senior Marketing Manager, Monique Kakegawa(949) 223-3609, mkakegawa@techweb.com

Promotions Manager, Angela Lee-Moll(516) 562-5803, aleemoll@techweb.com

TECHWEB Ed Grossman President, TechWeb Media

Martha Schwartz Chief Sales Officer, TechWeb Media

David Berlind Chief Content Officer, TechWeb Media

Joseph Braue Exec. VP, Light Reading Communications Network

Fritz Nelson Sr. VP, Editorial Director, InformationWeekBusiness Technology Network

John Ecke VP of Brand and Product Development, InformationWeek Business Technology Network

UBM LLCPat Nohilly Sr. VP, Strategic Development and Business Admin.

Marie Myers Sr. VP, Manufacturing

Copyright 2012 UBM LLC. All rights reserved.

Rob Preston VP and Editor In Chief rpreston@techweb.com 516-562-5692

Lorna Garey Content Director, Reportslgarey@techweb.com 978-694-1681

Sek Leung Associate Art Directorsleung@techweb.com

Chris Murphy Editorcjmurphy@techweb.com 414-906-5331

Jim Donahue Chief Copy Editorjdonahue@techweb.com

Stacey Peterson Executive Editor, Qualityspeterson@techweb.com 516-562-5933

Mary Ellen Forte Senior Art Directormforte@techweb.com

Business Contacts