The number of reported data security breaches continues to increase while becoming more diverse and sophisticated.
The three basic types of data security breaches that can lead to a data compromise are described in the tabs below.
A physical breach involves the physical theft of documents or equipment containing cardholder account data such as cardholder receipts, files, PCs, Point-of-Sale terminals.
Follow these steps to help protect your business from a physical breach:
Track technology inventory
- Keep track of what you own and who has possession of the physical technology:
- Laptop and desktop computers
- Any other technologies that may contain cardholder data such as Point-of-Sale equipment (stand-alone-dial-up terminals)
- Any other physical asset that may contain cardholder data: Hardcopy faxes Credit card receipts
- Once you have recorded the technology your organization owns and who has possession, secure it:
- Engrave or affix asset tags to laptops and any Point-of-Sale equipment used to process credit cards.
- Lock desktops to desks.
- Institute a policy requiring laptops to be locked away at the end of the business day.
- Ensure your computer server/data center is in a locked room
- Use lock boxes, safes or locking file cabinets to store sensitive hardcopy documents, especially credit card receipts.
- Monitor and restrict physical access where your technology is stored and used to process cardholder data:
- Computer rooms with servers involved in the credit card acceptance chain
- Credit card receipt storage rooms
- Mail order processing areas
- Monitor employees who use Point-of-Sale terminals and convey clearly-defined restrictions to them
- Install cameras at computer room entrances and exits as well as check-out lanes where Point-of-Sale terminals are positioned. Define procedures to monitor the cameras and keep recorded footage for at least three months.
- Require ID badges for access to sensitive data centers
- Maintain a log of visitors to sensitive facility areas (video recordings of who accessed these areas can help determine cause and liability in a data security incident)
- The PCI DSS requires organizations to educate employees about security policies and practices, which could include:
- Defined procedures and restrictions on access and usage of technology involved in the processing of credit cards
- Encryption used during transmission of cardholder data across open public networks
- Destruction of media containing cardholder or sensitive data
- Restricted versus non-restricted areas
- Distinguishing visitors from employees
- Ensuring all credit card transactions processed through Point-of-Sale devices are settled and purged from device on a daily basis
- Terminal type
- Payment application
- PIN-pad device, if applicable
- As much information as you have about the caller, such as the caller’s name and telephone number
An electronic breach is the un-authorized access or deliberate attack on a system or network environment (at a business or its third party processor) where cardholder data is processed, stored or transmitted. This can be the result of acquiring access, via Web servers or Web sites, to a system’s vulnerabilities through application-level attacks.
Examples of system vulnerabilities:
- Unsecured Remote Access – both vendor and employee, remote access should only be available on demand
- Unsecure network configurations – poorly configured or lack of firewalls and poor monitoring of access
- Lack of proper password management – using weak passwords that are easily detected by hackers or vendor default passwords
- Improper storage of allowed cardholder data and storage of prohibited cardholder data (full track data and CVV2/CVS)Encryption mismanagement or lack of encryption when transmitting cardholder data
- Lack of or expired anti-virus, anti-spyware and anti-malware software
- Lack of proper access restrictions to cardholder data systems
- Full magnetic stripe credit/debit card data is read and recorded in transit in the authorization process
- Credit/debit card data does not have to be stored within merchant’s system
- Utilizes a variety of legitimate Windows® file names
- Difficult to detect by virus security detectors
- Can be removed at any time by fraudster
- Malicious code is inserted into user-input variables that are connected to or paired with SQL commands and executed
- SQL injections assist hackers in infiltrating a company’s website and ultimately their core processing network where no sensitive data exits, then they navigate to systems where the card data is stored or transmitted
- Simple programs can be written in a couple of days; sophisticated ones take longer
- Capture and record everything the user is doing: keystrokes, mouse clicks, sites visited, even files that are opened without data being typed
- Difficult to detect by virus security detectors
- The memory dumping malware continuously copies payment process memory to an output file
- The memory parsing malware then schedules memory dumps and parses output file for full track data
- Never store prohibited cardholder data such as track data or card security codes on payment applications or in credit card processing environments.
- Use only secure Web and database servers. Ensure that all systems, including Web and database servers, are routinely updated with the current vendor security patches.
- Utilize strong, up-to-date anti-virus, anti-spyware and anti-malware software
- Avoid “easy to guess” or system default passwords. Utilize strong administrative password management software so only authorized persons can access them.
- Validate your payment applications’ compliance with the Payment Application Data Security Standard (PA-DSS) or undergo a Payment Card Industry Data Security Standard (PCI DSS) code review.
- Segment system and network environments where cardholder data is processed, stored or transmitted away from public networks such as the Internet.
- Implement firewalls where necessary. Be sure that firewalls are properly configured to only allow inbound and outbound traffic that is necessary to day-to-day business.
- Secure remote access applications and enable two-factor authentication as required by the PCI DSS. Remote access to systems should only be available on-demand.
- Schedule network scans for vulnerabilities and take immediate action to remediate the weakness when a vulnerability is identified.
- Establish standard company procedures for systems log management to include:
- Centralized logging
- Daily review of logs
- Protection of logs from un-authorized access
- Keep a history of logs for at least the length of time required by the PCI DSS
- Review and amend vendor contracts to include PCI DSS fundamental security practices. It is recommended that merchants only use third party providers that understand and operate in compliance with the PCI DSS
Skimming involves the capture and recording of card magnetic stripe data using an external device which is sometimes installed on a merchant’s Point of Sale System (POS). Skimming can also involve a dishonest employee utilizing an external device to collect the card magnetic stripe data. The data is then used to create counterfeit credit and debit cards.
- Restaurants and bars are common scenes for skimming because the perpetrator has physical possession of the victim’s credit card. In this situation, the perpetrator often uses a device so small it can fit in the palm of your hand to read and store data encoded in the magnetic stripe on the back of the victim’s credit card. The perpetrator may also use a small keypad device to record the three or four-digit security code printed in the signature box.
- Skimming can also involve PIN-debit transactions. In some cases, the perpetrator places a device over the card slot on an ATM to read the magnetic stripe as cardholders pass their cards through it. These devices are often used in conjunction with pinhole cameras to record the cardholder’s unique personal identification number (PIN).
- Skimming may involve tampering with vulnerable Point-of-Sale terminals and PIN-pad equipment. Typically, a perpetrator inserts a device into the terminal or PIN-pad at the merchant location, then uses it to collect credit card and PIN data.
- The petroleum industry experiences a high occurrence of skimming. Perpetrators take advantage of widespread pay-at-the-pump devices, often targeting high-volume locations to access the pump’s card reader technology without detection. In a matter of minutes, a skimmer attaches a device that records data encoded on the card’s magnetic stripe. Pinhole cameras are sometimes used to record the cardholder’s PIN while the device is capturing card data.
- Closely monitor handling of cards when employees have frequent physical possession of credit cards out of view of the cardholder.
- Closely monitor activity on Point-of-Sale terminals and PIN-pad devices.
- Regularly check equipment for attached skimming devices or evidence of tampering.
- Ensure you are not using a known vulnerable Point-of-Sale terminal or PIN-pad device by contacting your credit card processing service provider
- Petroleum businesses should have procedures to monitor activity at outdoor Point-of-Sale pumps. This must include opening devices regularly to check for tampering or installed skimming devices.
Common vulnerabilities contributing to a breachRead Now
Protect Against Phishing
How businesses can protect themselves against phishing attacksRead Now
Report Data Security Breach
How to report a data security breachRead Now
If you experience a data security breach, or even suspect one, immediately contact your account manager or call: