Data security: How to send hackers packing

In December 2006, TJX – the company that owns retailers TJMaxx, Marshalls in US, and Winners and HomeSense in Canada – found suspicious software on its computer systems. Three months later, TJX admitted that a computer security breach had occurred and that more than 45 million of its shoppers’ credit cards had been compromised.

The crew of hackers responsible was eventually caught. Still, an eight-month investigation by the Canadian government – TJX owns stores in Canada and so Canadian credit card information had also been affected – faulted TJX for failing to upgrade its  wireless encryption system, which allowed the hackers to break into their network, for more than a year, and said the retailer also needlessly retained customer data like credit card numbers, driver’s license numbers, and other personal information for years after it should have been purged.

The episode was a public relations black eye for the 2500-store retailer,  and faced heavy fines – and lawsuits. TJX, however, has certainly not been the only organization hurt by hacking and it won’t be the last. It did however expose a very real challenge for credit card companies as well as financial institutions, healthcare providers and retailers – both those with a presence online and with traditional bricks and mortar locations. Namely, how do organizations that collect or transmit customer and cardholder data ensure that data is not hacked and stolen? While there is no such thing as 100% security, there are many precautions and security measures that an organization to minimize the risk of breaches and deter the threat. 

The Payment Card Industry Data Security Standards Council (PCI DSSC) is a governing body formed in 2004 when individual security standards by North America’s major credit card companies were aligned and released as the Payment Card industry Data Security Standard (PCI DSS). Today compliance with the PCI DSS is vital for all credible merchants who accept debit, credit, prepaid, e-purse, ATM and POS cards – from the world’s largest corporations to small internet stores – and a significant step in keeping hackers at bay.

PCI DSS outlines 12 requirements for compliance to the standard, some of which are dependent on the size of business:

  1. Build and maintain a secure network
    • Install and maintain a firewall configuration to protect cardholder data
    • Do not use vendor-supplied defaults for system passwords and other security parameters
  2. Protect cardholder data
    • Protect stored data
    • Encrypt transmission of cardholder data across open, public networks
  3. Maintain a vulnerability management program
    • Use and regularly update anti-virus software on all systems commonly affected by malware
    • Develop and maintain secure systems and applications
  4. Implement strong access control measures
    • Restrict access to cardholder data by business need-to-know
    • Assign a unique ID to each person with computer access
    • Restrict physical access to cardholder data
  5. Regularly monitor and test networks
    • Track and monitor all access to network resources and cardholder data
    • Regularly test security systems and processes
  6. Maintain an information security policy that addresses information security

 Why comply with PCI standards? While no system or standard will make any enterprise completely safe from hacking, PCI DSS does provide a baseline for security and is a step toward making all businesses pay more attention to IT security.

 And though implementing the PCI DSS requirements can be costly, most organizations recognize that the alternative – in terms of fraud, loss in consumer confidence, reputation and sales, and risk of lawsuits, insurance claims and government fines – is hardly an alternative at all.

While PCI-DSS is specifically for payment card/retail industry, many of the security controls can be utilized by an organization in any industry and can apply to any network.

You can learn more about PCI standards on the PCI Security Standards Council’s website.  And you can breath easier when you know what could be lurking in your website after you check out our blog post on assessing your web securtiy.

Related Posts

Disruptive technology: Trends gaining traction Where would we be without computers, smartphones, music and video streaming? Likely, we’d still be using decade-old technologies like typewriters, landlines, CDs and DVDs. The...
Why the Shellshock Vulnerability Is A Perfect 10 Another big buzz in the media again. Looks like there has been another dangerous vulnerability identified and rated a 10 for impact, and a 10 for exploitability. This is t...
Are you protected from password security breaches? There have been a lot of headlines in the news recently about password security breaches. From “Russian Hackers Amass Over a Billion Internet Passwords” to “Stolen Password...

About Rakesh Pitroda

Rakesh has more than 15 years in the network and security industry; having worked for enterprises in healthcare, manufacturing, education and consulting industries.