GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View flipbook of this issue

Care to Share?


Table of Contents

Lead Story

Advisory Board: Assessing the U.S. EMV rollout - Part 1

News

Industry Update

PCI SSC delivers data breach guidance

AFP finds strong interest in electronic B2B payments

Chinese hackers breach LoopPay

New Yorkers round up to close hunger gap

Commodities traders toss rulebook at Coinflip

Features

The outlook for EMV

The Mobile Buzz: Emerging phablet phenomenon

Views

The very point of sale: EMV's teachable moment

Dale S. Laszig
DSL Direct LLC

Through The Fires, the autobiography of Robert Owen Carr

Brandes Elitch
CrossCheck Inc.

Education

Street SmartsSM:
After the deadline, MLSs share thoughts on EMV - Part 2

Jeffrey I. Shavitz
TrafficJamming LLC

Reconciliation and settlement systems

Chandan Mukherjee
PayCube Inc.

The liability shift is here - now what?

Michael Gavin
Cayan

Company Profile

Harbortouch

QuarterSpot

New Products

A platform to protect, enhance critical infrastructure

ThetaRay Analytics Platform
ThetaRay

Safe, simple, efficient online checkout

PAAY
PAAY LLC

Inspiration

Go forth and find your fortune

Departments

Letter From the Editors

Readers Speak

Resource Guide

Datebook

A Bigger Thing

The Green Sheet Online Edition

October 26, 2015  •  Issue 15:10:02

previous next

PCI SSC delivers data breach guidance

The PCI Security Standards Council in collaboration with a team of PCI Forensics Investigators (PFIs) released guidelines to help organizations implement breach response plans. Its Responding to a Data Breach: A How-to Guide for Incident Management document was unveiled during a PCI SSC-hosted North America Community Meeting in Canada. Additional data security awareness meetings were slated for Japan and France.

According to the PCI SSC, the average cost of a data breach to merchants is now $3.8 million, collectively, per incident. In reflecting on the global state of data security awareness, PCI SSC International Director Jeremy King noted that in the United Kingdom, the government closely monitors data breach incident levels through an annual business survey that tracks all types of data breached.

"This isn't just financial, this is any data breach," King said. "They found that in the last two surveys over 90 percent of organizations had a data breach of some form or other." He said that given the fact that in over 95 percent of data breach incidents an external party was the first to alert the compromised organization that a breach had occurred, data security guidance has reached a time-critical point.

Basic security still an issue

But the council is optimistic that will change. "The silver lining to high-profile breaches that have occurred is that there is a new sense of urgency that is translating into security vigilance from the top down, forcing businesses to prioritize and make data security business as usual," said Stephen Orfei, General Manager of the PCI SSC. "Prevention, detection and responses are always going to be the three legs of data protection."

Unfortunately, a significant number of merchants believe a breach won't happen to them. Many in this category are most vulnerable to attack, since basic security measures, including an incident response plan, are not being implemented.

"Each year Verizon and Trustwave publish separate data breach reports," King said. "Consistently, they have found over the years that organizations that are breached have not been PCI compliant, but it's not that they were a little bit not compliant, they were massively not compliant. There are some huge holes there. There are simple things they are still not getting right."

For example, he noted that lack of good password security remains a problem as does clicking on phishing emails that allow malware to be downloaded. He noted that cybercriminals continue to use basic attack methodologies because unprotected business environments are not difficult to find, and lack of employee training and response strategies compound matters.

Incident response plan needed

However, for small merchants cost can be an issue. "In Europe, some of the card brands offer a limited breach response service, because they know that small merchants can't afford full forensics investigation breach support, so it becomes a relationship between the acquirer, the merchant and the brand to try and revolve this," King said. "If you're a small merchant working in the e-commerce space, you've really got to do this properly."

He said that with a good incident response plan, merchants know exactly what to do, how to respond and who to notify. If a breach should occur outside of business hours, key personnel understand the chain of command and what factors determine whether to open for business the next day. Businesses are advised to establish relationships with forensics investigators beforehand to reduce response time and prevent errors in the aftermath should a breach occur.

An incident response plan should also include instructions on how to limit data exposure and preserve evidence, which may require isolating a system rather than turning it off completely. In addition to a PFI contact, the plan should list current business partners, including payment card brands, acquirers and other entities requiring notification. The PCI SSC recommends that specific provisions be written into contracts with third parties on how evidence will be accessed and reviewed in the event of a data breach.

For more information on PFIs and a list of PCI-certified PFI professionals, visit www.pcisecuritystandards.org.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | USAePay | Impact Paysystems | Electronic Merchant Systems | Board Studios