by Kristyan Mjolsnes
May 15, 2013 12:30PM
Data breaches within the retail industry are on the rise. The latest victim is the MAPCO convenience store chain which had customer credit and debit card information stolen. It is reported that cybercriminals used malware to gain access to the payment processing system and collect cardholder data.
MAPCO announced the breach last week and said it occurred between March 19-25, April 14-15, and April 20-21, 2013. The data breach affected MAPCO Express®, MAPCO Mart®, East Coast®, Discount Food Mart™, Fast Food and Fuel™, Delta Express® and Favorite Markets® stores in Alabama, Arkansas, Georgia, Kentucky, Mississippi, Tennessee and Virginia. MAPCO’s breach is just yet another example of the growing risk within the retail industry
According to the 2013 Trustwave Global Security Report, the retail industry made its way back to the top of the breached list with 45% of all data breach investigations in 2012 being from that segment. Compare that to just the year before where only 33.7% of all investigations were retail businesses. The 15% spike in breaches only confirms the fact that retail merchants are failing to take the proper steps to protect data and secure their networks.
The food beverage industry spent 2009 to 2011 at the top of that list. However, this year they made up a smaller, yet still substantial, 24% of investigations. One can only assume that after the focus being on that industry for three years, food and beverage merchants have begun to take a proactive approach and combat cybercriminals with the proper network security. It’s an approach that has appeared to have paid off.
SecureConnect has focused a lot of our interest on this segment and have seen first-hand over the last few years how merchants have become more familiar with PCI compliance and understand the risks of not addressing network security. (more…)
Categories Data Breach, Data Security, Internet Security, PCI Compliance, Technology | Tags: data breach, data breach risk, Data Security, Global Security Report
by Kristyan Mjolsnes
May 10, 2013 4:20PM
The PCI SSC is determined to make certain all merchants are educated on the importance of credit card security and their series of short, entertaining videos may just be the trick. In previous blogs we highlighted their videos which introduced PCI compliance and discussed password protection. The third PCI SSC video in the series is on three security best practices in regards to card readers.
The three best practices involve:
Check out this third video in the PCI SSC’s Protecting Cardholder Data Is Good For Your Business video series:
Categories Data Security, PA DSS, Payment Processing, PCI Compliance, Technology | Tags: Card Reader, Payment Application, PCI SSC, Physical security
by Dave Gavic
April 25, 2013 10:00AM
Regularly Monitor and Test Networks
Requirement 11 of the PCI DSS: Regularly test security systems and processes
Requirement 11 is one of the more technical requirements of the PCI DSS that focuses on testing the Cardholder Data Environment (CDE) for vulnerabilities. Some of the steps in this requirement will not be able to be completed by the merchant without some outside assistance.
To help you to better understand this requirement, I am going to first explain Requirement 11.2.2, which reads:
An Approved Scanning Vendor (ASV) is an organization approved by the PCI SSC which performs vulnerability scans on merchants’ CDEs. External vulnerability scanning is a specific test that looks for weaknesses in a network’s perimeter that can be exposed or exploited by malicious individuals looking to gain unauthorized access into the network. The PCI SSC has a specific list of rules and guidelines that an ASV must comply with in order to be certified by the PCI SSC to perform external vulnerability scanning for merchants in the pursuit of PCI compliance. Currently the PCI SSC has a list of over 130 certified Approved Scanning Vendors that can be found at the PCI SSC’s website. Having these external vulnerability scans run each quarter is only the beginning of what a merchant will need to do to meet requirement 11.
Now that you understand what external vulnerability scanning is, let’s go back to Requirement 11.2.1 which talks about internal vulnerability scanning. (more…)
Categories Data Security, Internet Security, Payment Processing, PCI Compliance, PCI DSS, PCI SAQ, PCI SSC, SAQ 101, Technology | Tags: external scanning, File Integrity Monitoring, internal scanning, intrusion detection system, Intrusion Prevention System, PCI vulnerability scan, penetration testing, test networks, Vulnerability scans, wireless access points
by Kristyan Mjolsnes
April 4, 2013 2:00PM
To help get more insight on breach protection insurance, we spoke with Robert Halsey, the president of an insurance brokerage firm, to get his take on the current situation of the data breach insurance market. Below is what he had to say.
1. What is the demographic of those using data breach protection coverage?
2. Can you give any reasoning for these trends?
3. How would you describe the current market conditions for data breach protection insurance?
4. Can you explain what contractual liability coverage is and how it relates to data breach insurance coverage?
Categories Data Security, Technology, Uncategorized | Tags: Breach Protection, Data Breach Coverage, Data Breach Insurance, Data Breach Protection, Insurance
by Kristyan Mjolsnes
March 26, 2013 9:00AM
In an earlier blog, we told you about how the PCI Security Standards Council (SSC) released a series of short training videos that make learning about PCI compliance just a little more entertaining. The second video in their series focuses on passwords and why implementing a strong password is important. The creative geniuses at the PCI SSC made this video especially entertaining by comparing an easy to remember password (1234) to a beautiful woman.
Check out their second video for yourself, Password Protection.
Categories Data Security, Internet Security, PCI Compliance, PCI DSS, PCI SSC, Technology | Tags: password precautions, Password protection, password security, Passwords, PCI Compliance, PCI SSC, PCI SSC Video, Video
