According to the Identity Theft Resource Center, security breaches reached a record high in the U.S. last year, spanning some 675 million records. Over 30 percent of these breaches hit the business sector, including some of most recognized merchants like Neiman Marcus, Goodwill Industries, P.F. Chang’s and Dairy Queen.
While some merchants are becoming more proactive about things like payment card industry compliance and security standards (PCI), are the standards enough? Why should they comply? More importantly, why is it so easy for hackers to find vulnerabilities and gain access to account information in the first place?
These ugly truths and more were exposed during a recent SAP Radio broadcast, “Data Security in the Age of Credit Card Breaches.”
Vigilance against threats
Billions of dollars in fraud exists in North America alone and that number multiplies significantly on a global scale – which is why hackers are always going to be looking for vulnerabilities, according to Richard McCammon, Delego Software.
“They’re going after the people who don’t have the controls on e-commerce,” said McCammon.
Even though this shrewd tactic might appear to give hackers the upper hand, it shouldn’t force business into thinking data breaches are a fact of life, according Hillel Zafir, co-founder and president, HMS Technology Group.
“Breaches should be at the forefront of any merchant’s marketing, business and security initiatives,” said Zafir. “If you make yourself a much more difficult target, hackers will go on to the next person.”
Gerlinde Zibulski, Head of Security and Identity Management at SAP believes all businesses have the ability to combat hackers thanks to cloud computing advancements over the past few years.
“Some of our customers are saying that cloud deployments today are much more secure – more secure than on premise deployments,” said Zibulski. “It’s an interesting comment to make. Technology undoubtedly has become better, especially for security.”
Setting the standard
Originated by the six major credit card companies, the aforementioned PCI standards are also becoming stronger in the fight against cybercrime. But like any standards initiative, compliance is key.
“When people aren’t compliant we end up with these huge breaches,” said McCammon. “Once a breach has happened, we’re looking at hundreds of thousands of dollars in fines in some cases it can get into the millions. Something as simple as leaving a router with the default password on it is all it takes.”
But according to HMS technology’s Hillel Zafir, PCI standards isn’t the only answer to combating cybercrime. In fact, Zafir believes much more needs to be done for PCI to be taken seriously.
“The banks are not proactively communicating with the merchants and the gateways and the processes in between don’t have any clue what the rules are and how to enforce them,” said Zafir. “To them it’s just as simple as filling out a couple of papers and say ‘Okay, I’m PCI compliant.’”
Even though PCI might have its work cut out, Zafir does see great promise in the “tokenization” technology used by Apple Pay and Google Wallet.
“Those numbers that are being transmitted to the banks are one time use card numbers that cannot be reused again, which is a great way of bypassing security issues,” said Zafir.
Beyond the firewall
Even though installing and maintaining a firewall is one of the tenants of good network security, this type of “perimeter security” is actually quite outdated, according to SAP’s Zibulski.
“It’s like a medieval concept. Everybody outside is evil and everybody inside is good.”
Zibulski warns that even if you have the whole communication unencrypted you’re basically sending the passwords of your credit card administrators, people that work with your systems, in clear text over the wire. And it’s very easy for hackers to grab these passwords.
“PCI requirements need to be a lot stricter and enforced more than they are,” said Zibulski. “If they aren’t completely adhered to, and if people aren’t fully compliant, it poses a problem.”
You might also like: