Data Compromise and PCI Compliance

PCI Compliance After a Breach

Without delving into the technical details, what the Foregenix forensic team uncovered was one of the largest & most complex cases seen! What was surprising though is how little security these outlets had in the first place – we found that they were mostly single owner small businesses with no IT departments or no IT staff/skills – they were simply people who “flipped burgers & fried chicken”.

As seems to be the case more often than not, the hackers went for the “low hanging fruit” as they were open to attack. These outlets became the hacker’s next target and they harvested millions of cardholder data. Once the scale of the compromise and potential liabilities were revealed, the South African banks engaged Foregenix for assistance – we immediately rolled out our Serengeti solution across the "potentially" affected stores/outlets to quickly identify indicators of compromise and to contain the breach.

Once each of the compromised outlets had been identified, they were each required to validate their PCI DSS compliance as a Level 1 organisation regardless of their transaction level. Typically the PCI level to which an entity is validated is determined based upon the number of transactions annually.

Following a breach, once the organisation has achieved compliance as a Level 1 entity, the risk is deemed to have been significantly reduced - and as long as this is maintained, it is very likely the banks and card schemes will allow the business to revert to their normal level for annual PCI DSS compliance validation.

Foregenix Store Shield

Foregenix developed a solution called Store Shield, comprising of a number of packaged security technologies, to cost-effectively assist the merchants to achieve Level 1 compliance. Store Shield manages the many Level 1 requirements by “baking in” security to the merchant’s daily operations allowing the merchant to focus on their day-to-day business. As many of these businesses had little-to-no IT support, let alone data security specialists, a simple, yet effective solution was required. Foregenix developed this solution to remove the complexity of PCI Compliance allowing the merchant to integrate best practice security policies as part of business as usual.

The Store Shield solution provides remote management and monitoring of the essential toolset required to maintain ongoing PCI DSS compliance. Some of its key capabilities are as follows:

• Firewall + IPS
• Connectivity = ADSL or IPSEC over ADSL or MPLS
• In Store Wireless
• PCI SAQ
• PCI ASV External Scans
• Serengeti - Cybercrime detection and prevention solution
• SIEM - Security Information and Event Monitoring
• FIM - File Integrity Monitoring
• FScout cardholder data discovery and monitoring.

Foregenix went to the market with Store Shield, firstly educating the affected merchants/outlets & banks on PCI Compliance and demonstrating to them the benefit of implementing Store Shield. Initially we found the uptake to be very slow, the merchants/outlets pushed back stating that they had never had to pay for PCI compliance so why should they have to now.

"Payment Systems Should Be Secure"

Many a conversation has been had where the merchants state “it should be the banks responsibility and they should bear the cost”.

In essence becoming PCI compliant became a point of friction between the merchant and their bank – PCI became a “grudge purchase” making the conversation more about the cost rather than the benefit. However, a few months down the line, the situation is rapidly progressing with the merchant community who have begun to understand the importance of protecting the cardholder data. Of course the conversations still come around regarding the fact that they should be buying a secure solution to accept payments rather than having to invest in additional security around their payment systems – a conversation that is had with regularity with clients and partners in Europe and the Americas.  

And to a degree the merchants have a point. When your bank offers you the ability to accept cardholder data, it should be a secure solution. Shouldn’t it?

Payment Security Evolution

Until we see the mass adoption of PCI P2PE or tokenisation solutions (such as Apple Pay), retailers are going to have to accept that the systems that handle their transaction data still need protecting. Until that point, solutions like Store Shield have a very important place in protecting retailers/restaurants/hotel payment systems. After all, no business wants to go through the disruption, cost and PR nightmare that comes with having your customer data stolen.