Author: Jason Rebholz
A “Black Friday Steal” doesn’t have to mean the theft of credit card data from your retail company. Every year, retailers look forward to Black Friday and Cyber Monday as an opportunity to increase sales and, for some, meet their annual goals. Unfortunately, cyber criminals see the same opportunity. The increase in sales typically means an increase in card holder transactions. This provides cyber criminals an opportunity to harvest more card data in a short amount of time. Retailers, and other companies that process payment card information, can take the following steps to increase the security posture of their PCI environment and help mitigate these increased risks.
Remove Clear-Text Card Holder Data from the Environment
Point-to-Point Encryption (P2PE)
The push to implement P2PE has grown massively in popularity following large data breaches that plagued the retail industry in recent years. The popularity comes with a great reason – P2PE transfers the risk of processing card holder data to the 3rd party who manages the solution. The merchant is focused on securing the point of interaction (where the card is swiped). The reduction in scope is a result of an encrypted channel between the device that swipes the card and the P2PE solution provider. In the event a threat actor gains access to the PCI environment they be unable to extract card holder data from the devices since the transaction is encrypted.
Tokenization has grown in popularity alongside P2PE. Merchants have often stored card holder data for various business purposes. This increases risk to the organization, as storing card holder data requires additional security measures to minimize risk to the data. The benefit of tokenization is that merchants can store a token instead of card holder data. This additional step helps remove card holder data from the environment, further reducing the risk to the merchant.
Segment the PCI environment
The flow of credit card data in the environment dictates what is considered the PCI environment. A common fatal flaw is that organizations do not completely segment their PCI environment from the rest of the corporate environment. The result is an open network that is harder to protect. To better segment the environment, organizations should consider the following:
- Implement a jump box for access into the PCI environment - access to the jump box should require multi-factor authentication.
- White-list outbound Internet traffic - the only outbound communication should be to approved destinations and ports.
- Implement a stand-alone infrastructure – this helps reduce communication dependencies between the PCI environment and the rest of the corporate environment.
Secure Remote Access into the Environment
Threat actors that target retailers will commonly gain access into the corporate environment as an initial foothold. A growing method of initial compromise is the theft of vendor remote access credentials that do not require multi-factor authentication. Organizations should ensure that all remote access, for all users, requires multi-factor authentication.
Application White-Listing on Critical Systems
Organizations should identify critical systems in the PCI environment. These will commonly be systems that are involved in the flow of card holder data. These critical systems should have application white-listing installed to help mitigate the execution of unapproved applications.
Enhance Credential Management for Privileged Accounts
Targeted threat actors routinely harvest credentials for privileged accounts. The primary goal of this is to leverage the privileged accounts to further their mission of moving through the environment and harvesting card holder data. Organizations should consider the following to manage privileged accounts:
- Remove administrative privileges from normal user accounts – this can help mitigate attacks early on as threat actors attempt to elevate privileges.
- Implement a password vault – credentials for privileged accounts should be stored in a password vault and “checked out” as needed. This allows passwords to be routinely changed and provides an audit trail for access to privileged accounts. To take it further, organizations should require multi-factor authentication to access the password vault.