Data breaches within the retail industry are on the rise. The latest victim is the MAPCO convenience store chain which had customer credit and debit card information stolen. It is reported that cybercriminals used malware to gain access to the payment processing system and collect cardholder data.
MAPCO announced the breach last week and said it occurred between March 19-25, April 14-15, and April 20-21, 2013. The data breach affected MAPCO Express®, MAPCO Mart®, East Coast®, Discount Food Mart™, Fast Food and Fuel™, Delta Express® and Favorite Markets® stores in Alabama, Arkansas, Georgia, Kentucky, Mississippi, Tennessee and Virginia. MAPCO’s breach is just yet another example of the growing risk within the retail industry
According to the 2013 Trustwave Global Security Report, the retail industry made its way back to the top of the breached list with 45% of all data breach investigations in 2012 being from that segment. Compare that to just the year before where only 33.7% of all investigations were retail businesses. The 15% spike in breaches only confirms the fact that retail merchants are failing to take the proper steps to protect data and secure their networks.
The food beverage industry spent 2009 to 2011 at the top of that list. However, this year they made up a smaller, yet still substantial, 24% of investigations. One can only assume that after the focus being on that industry for three years, food and beverage merchants have begun to take a proactive approach and combat cybercriminals with the proper network security. It’s an approach that has appeared to have paid off.
SecureConnect has focused a lot of our interest on this segment and have seen first-hand over the last few years how merchants have become more familiar with PCI compliance and understand the risks of not addressing network security. (more…)
The PCI SSC is determined to make certain all merchants are educated on the importance of credit card security and their series of short, entertaining videos may just be the trick. In previous blogs we highlighted their videos which introduced PCI compliance and discussed password protection. The third PCI SSC video in the series is on three security best practices in regards to card readers.
The three best practices involve:
The location of a card reader
Examining the card reader and connecting cords
Access to the card reader
Check out this third video in the PCI SSC’s Protecting Cardholder Data Is Good For Your Business video series:
Requirement 11 of the PCI DSS: Regularly test security systems and processes
Requirement 11 is one of the more technical requirements of the PCI DSS that focuses on testing the Cardholder Data Environment (CDE) for vulnerabilities. Some of the steps in this requirement will not be able to be completed by the merchant without some outside assistance.
To help you to better understand this requirement, I am going to first explain Requirement 11.2.2, which reads:
Perform quarterly external vulnerability scans via an Approved Scanning Vendor (ASV), approved by the Payment Card Industry Security Standards Council (PCI SSC).
An Approved Scanning Vendor (ASV) is an organization approved by the PCI SSC which performs vulnerability scans on merchants’ CDEs. External vulnerability scanning is a specific test that looks for weaknesses in a network’s perimeter that can be exposed or exploited by malicious individuals looking to gain unauthorized access into the network. The PCI SSC has a specific list of rules and guidelines that an ASV must comply with in order to be certified by the PCI SSC to perform external vulnerability scanning for merchants in the pursuit of PCI compliance. Currently the PCI SSC has a list of over 130 certified Approved Scanning Vendors that can be found at the PCI SSC’s website. Having these external vulnerability scans run each quarter is only the beginning of what a merchant will need to do to meet requirement 11.
Now that you understand what external vulnerability scanning is, let’s go back to Requirement 11.2.1 which talks about internal vulnerability scanning. (more…)
To help get more insight on breach protection insurance, we spoke with Robert Halsey, the president of an insurance brokerage firm, to get his take on the current situation of the data breach insurance market. Below is what he had to say.
1. What is the demographic of those using data breach protection coverage?
Merchants of all types and sizes are protected in breach protection programs. Initially, the larger merchants and the online merchants led the way but now there are a large number of traditional level 4 brick-and-mortar merchants protected.
2. Can you give any reasoning for these trends?
Anecdotally, we believe that the awareness campaigns of the acquirers and also reports from the media have driven the trend of participation in breach protection programs for traditional level 4 merchants.
3. How would you describe the current market conditions for data breach protection insurance?
The number of merchants protected by breach protection programs has grown significantly over the past 6 years from the tens of thousands in 2007 to 2 to 3 million just in the USA in 2013. The increase in the number of protection programs has been driven largely by the greater awareness of acquirers and merchants of the threats that exist from cyber and traditional criminals and the difficulty in creating a completely secure network or completely fail safe business processes.
4. Can you explain what contractual liability coverage is and how it relates to data breach insurance coverage?
Contractual liability occurs when a merchant signs its merchant agreement and agrees to be responsible for losses to the party the merchant as contracted with to process transactions. This liability is imposed on the merchant and it does not require a judgment of a court to be imposed, as the merchant has agreed to be responsible. Breach protection programs and many privacy violation policies (if the policy has been endorsed for contractual liability) protect the merchant from these expenses. Most commercial liability policies specifically exclude contractual liability losses so these programs and policies fill that gap in protection. (more…)
In an earlier blog, we told you about how the PCI Security Standards Council (SSC) released a series of short training videos that make learning about PCI compliance just a little more entertaining. The second video in their series focuses on passwords and why implementing a strong password is important. The creative geniuses at the PCI SSC made this video especially entertaining by comparing an easy to remember password (1234) to a beautiful woman.
Check out their second video for yourself, Password Protection.