Is your information at risk?
In the wake of one of the nation’s largest retail hacking attacks ever, business owners and consumers alike have a heightened concern about information security.
Most people only think about the threat of hackers stealing their credit card information when they’re shopping online; however, recent events with Target and Neiman Marcus demonstrate that breaches in data security can happen not only online, but also when shopping at the local mall, grocery store or gas pump.
Target noted that in addition to the 40 million credit and debit card numbers that were likely exposed, other information such as names, addresses, phone numbers and email addresses for up to 70 million customers were also exposed. Target has also confirmed that encrypted PINs (personal identification number) were stolen during this breach.
Banks have reportedly notified some Target customers that there were attempts to access their accounts from another country and that purchases had been made using credit cards and using debit cards as credit cards online. While banks are not holding customers responsible for those purchases, incidents like this one cost financial institutions millions of dollars each year – which, no doubt, impacts the cost of banking for everyone.
Neiman Marcus has confirmed that it is working with government agencies to investigate a breach that occurred in December, which may have involved the exposure of an unknown amount of customer payment cards.
How does this happen?
Target officials initially reported that the breach of cardholder information was caused by malware that was attached to point-of-sale devices at their stores. This scenario is accomplished by hackers who compromise the network and use the network to attach the malware to the devices. Security experts are investigating whether the same type of malware was used in the other breaches as well. Target now reports that the cyber criminals who breached its system used credentials they had stolen from one of the retailer’s vendors.
What causes security breaches?
There are numerous causes of security breaches, including, but not limited to the following:
- uneducated users who unknowingly expose information
- disgruntled employees intentionally expose information
- mismanaged Bring-Your-Own-Device (BYOD) policies
- increased use of mobile devices — The Java code used by mobile devices makes them easy targets for hackers.
- lost or stolen mobile devices with unencrypted data
- underestimating hackers — Most organizations do not allocate sufficient resources to network and information security to keep pace with the latest tactics used by cyber criminals.
- faulty code logic developed by engineers and developers who are rushed to get new products to market
Security requirements for businesses that accept cards
The Payment Card Industry (PCI) Data Security Standards Council created the world-wide standards and best practices that any organization must follow if it accepts and processes credit and debit card payments electronically. Under these requirements, both traditional and online retailers, service providers, and any other entity that processes cardholder data electronically must adhere to these standards and should be audited annually by an independent PCI audit provider.
Although there are many requirements within the PCI standards, the following are six high-level requirements that any business that accepts cards must comply with.
- build and maintain a secure network
- protect cardholder data
- maintain a vulnerability management program
- implement strong access control measures
- regularly monitor and test networks
- maintain an information security policy
These standards are multi-pronged and require that many detailed procedures be in place for them to be effective. Maintaining current anti-virus definitions on all computers, servers, and equipment, monitoring and testing network changes, implementing security patches, and other software patches timely are also some key tactics that must be implemented.
What consumers can do
While we can’t eliminate risk, consumers can take steps to help protect their personal information and financial assets. Some suggestions include:
- securing credit cards and personal information
- actively monitoring activity in all financial accounts e.g. bank accounts, credit cards, etc.
- using only secured websites when entering personal data or shopping online — Check to ensure that “https” is in the prefix of the web page address and look for the lock icon at the
- bottom right of the page when shopping or entering personal information online.
- keeping up-to-date anti-virus software on computers
- limiting social networking to devices not used for Internet banking and online purchases
- limiting the credit cards used for such transactions
- destroying (instead of tossing in the trash) financial records, bank statements, credit card statements and any other documents with personal information
As technology continues to advance and we move toward increased use of payment cards, smart cards, and some say eventually bitcoins (electronic currency), new regulations and standards will have to be developed and implemented. Governments world-wide, the financial community, regulators, website engineers and developers, and consumers will have to collaborate to find the right technology to protect individuals, businesses and the financial community as a whole.
Does your business accept credit card payments? Need help with PCI compliance or an information security risk assessment? Contact Gina Pruitt, member-in-charge of KraftCPAs’ information systems assurance and consulting services.