A detailed analysis on the Security Standard goals and requirements. Examples of companies that failed to comply, with emphasis on which part of the security standards they violated and the fines that resulted as a result of their non-compliance.
2024: Domino Containers - The Next Step. News from the Domino Container commu...
Â
A Case Study on Payment Card Industry Data Security Standards
1. Case Study: Payment Card Industry â Data Security
Standards (PCI-DSS)
Written by: Badejo, Victor Oluwajuwon
11th
March, 2016
2. Abstract
The Payment Card Industry publishedthe Data Security Standard (PCI DSS) 11 years ago to provide a
minimum set of required security controls to protect cardholder data. However, criminals are still
breachingcompaniesandgettingaccesstocardholderdataasaresultof non-compliance tothese security
standards.
Thiscase studygivesa detailed analysisof the securitystandard goalsandrequirements.Italsopresents
examples of companies that failed to comply with the lawswith emphasis on which part of the security
standards they violated and the fines that resulted as a result of their non-compliance. It concludes by
analyzingwhysome companiesare compliantbut not securedand proposeschangescompaniesshould
adopt to avoid a security breach and still remain PCI DSS compliant.
Key Terms
Firewall, malware, Qualified Security Assessor, SQL Injection, CVV security code, FTP server, RAM
Scrapper, POS terminal, class action lawsuit.
3. 1. Introduction.
1.1 PCI SecurityStandards Council and PCI DSS
The PCI SecurityStandardsCouncil isaglobal organizationthatmaintains, andpromotesPaymentCard
Industrystandardsforthe safetyof cardholderdata across the globe. The council wasfoundedin2006
by AmericanExpress,DiscoverFinancialServices,JCBInternational,MasterCard,andVisaInc. (PCI
SecurityStandardsCouncil,2016).Companiesacceptingpaymentcardtransactionsfromanyof these
paymentbrandshave to complywithPCIDSSrequirements. The PaymentCardIndustrySecurity
StandardsCouncil (PCISSC) publishedthe DataSecurityStandard(DSS) toprovide aminimumsetof
requiredsecuritycontrolstoprotectcardholderdata. (Moldes,2015)
The council has twomajor prioritieswhichinclude:
ï· Helpingmerchantsandfinancial institutionsunderstandandimplementstandardsforsecurity
policies,technologiesandongoingprocessesthatprotecttheirpaymentsystemsfrombreaches
and theftof cardholderdata
ï· Helpingvendorsunderstandandimplementstandardsforcreatingsecure paymentsolutions.
(PCISecurityStandardsCouncil,2016)
1.2 GOALS AND PCI DSS REQUIREMENTS
PCIDSS requiresdocumentationtobe developedandmaintained,preventiveanddetective security
controlsto be implemented,andprocessestobe inplace inorderto identifyandcontainanysecurity
breachattemptsas soonas possible.The PCIDSSgoalsand requirementsare listedinthe table below:
GOALS PCIDSS REQUIREMENTS
BuildandMaintaina Secure
Network
1. Install andmaintaina firewall configurationtoprotect
cardholderdata
2. Do notuse vendor-supplieddefaultsforsystempasswordsand
othersecurityparameters
ProtectCardholderData 3. Protect storedcardholderdata
4. Encrypt transmissionof cardholderdataacrossopen,public
networks
Maintaina Vulnerability
ManagementProgram
5. Use and regularlyupdate anti-virussoftware orprograms
6. Developandmaintainsecure systemsandapplications
ImplementStrongAccess
Control Measures
7. Restrictaccess to cardholderdataby businessneed-to-know
8. Assigna unique IDto eachpersonwithcomputeraccess
9. Restrictphysical accessto cardholderdata
RegularlyMonitorandTest
Networks
10. Track and monitorall accessto networkresourcesand
cardholderdata
11. Regularlytestsecuritysystemsandprocesses
Maintainan Information
SecurityPolicy
12. Maintaina policythataddressesinformationsecurityfor
employeesandcontractors
(PCISecurityStandardsCouncil,2016)
4. PCIDSS has evolvedsteadilyoverthe years.Eversince the releaseof version 1.0,the council hasmade
frequentchangestoimprove clarityandconsistency.The latestVersion 3.1was releasedinApril2015,
and will be retired3monthsafterversion3.2 isreleased.Asaresultof these updates,companieshave
had to continuouslyvalidatetheircompliance tothe standard. The standardwascreatedto increase
controlsaroundcardholderdatato reduce creditcard fraud. Accordingto PCI securityStandards(2008),
âValidationof compliance isperformedannually,eitherbyanexternal QualifiedSecurityAssessor(QSA)
that createsa Reporton Compliance (ROC) fororganizationshandlinglarge volumesof transactions,or
by Self-AssessmentQuestionnaire (SAQ)forcompanieshandlingsmallervolumesâ.
It istherefore notenoughfora company to achieve PCIDSScompliance andrelyonitfor a longperiod
of time asattackersare alwaysreadyto exploit new vulnerabilities.Constant auditand validationof
compliance istherebynecessarytoensure effective security.
âUnlike securitylawssuch asGramm-Leach-Bliley,HIPAA andSarbanes-Oxley,the PCIStandardand
SecurityProgramrulesare not statutesor regulationsenforceddirectlybythe government.Rather,the
PCIStandard andthe SecurityProgramrulesare imposedandtypicallyenforcedcontractuallythrough
the PCI ContractChainâ.(Moldes,2009). As a result,if a companywantto be able toaccept payment
cards, theymustentera contractual relationshipwithapaymentprocessorandmusttherefore be PCI
DSS compliant.Due tothe many stagesrequiredtobe compliant,some companiesoptnottoaccept
paymentcardsto transact theirbusinesses.
5. 2. Analysis
The evolvingglobal nature of transactingbusinessmeansthat some companieswouldnotsurvive if they
refuse toaccept paymentcardsto transact business. Manycompanieshave thereforeembraced the PCI
DSS goalsand have strivedtoremaincompliant. A closerlookattwo differentcompaniesthatfailedto
complywiththe standardwouldhelpunderstandthe PCIDSSbetter.We wouldlookatareasof the
standardstheyviolatedandhowitaffectedthemadversely,andfinesthatresultedfromtheirnon-
compliance.
2.1 Heartland Payment System
In 2009, HeartlandPayment Systems,aFortune 1000 U.S.-basedpaymentprocessingandtechnology
provider, announcedthatithadbeena victimof a confidentialitybreachwithinitsprocessingsystemin
2008. The data breach issaidto have compromisedtensof millionsof creditand debitcards
transactionsmakingitone of the largestdatabreacheseverrecorded.âThe datastolenincludedthe
digital informationencodedontothe magneticstripe builtintothe backsof creditanddebitcards; with
that data, thievescanfashioncounterfeitcreditcardsbyimprintingthe same stoleninformationonto
fabricatedcardsâ.(Krebs,2009)
2.1.1 PCI DSS Failure
Analysingthe companyshowsthatit failedtocomplywiththe followingPCIGoals:
ï· Buildand MaintainaSecure Network
1. Install andmaintaina firewall configurationtoprotect cardholderdata
The compromise came througha SQL injectionattackonthe company'swebsite.AlbertGonzalez, an
Americancomputerhackerandcomputercriminal who wasthe mastermind of the attack usedSQL
injection todeploybackdoorsonseveralcorporate systems (Krebs,2013).Although,itwasdetected,it
made itsway throughthe companyâsfirewall.The companyclearlyviolatedof one of the PCIgoalsby
not havinga systemsecure enoughtopreventthe injectionattack.
ï· Protect CardholderData
3. Protect stored cardholderdata
4. Encrypt transmissionofcardholderdataacross open,publicnetworks
Accordingto SecureWorks (2012), âRoughlysix monthslater,inmid-May2008, the malware made the
leapfromthe corporate networktothe paymentprocessingnetwork,butHPSdidn'tknow thatat the
timeâ. Asstatedearlier,the datastolenincludedinformationencodedonthe magneticstripe atthe
back of the debitanddebitcards.Thisdata couldthenbe transferredunto counterfeitcardsby
imprintingthe stoleninformationonthem.The companyhadstoredcardholderdataandfailedto
protectit. The companyâsencryptionforthe dataat rest wasnot effective. Thisismade evidentbythe
abilityof the malware to retrievingcardholderdata,whichisclearlyaviolationof one of the PCIgoals.
2.1.2 Fines
The company paida heavyprice. HeartlandPaymentSystem wasdelistedbyVisaandMasterCard.
AlbertGonzalezwhowas indictedinAugust2009, pleadedguiltytocarrying outthe attack and was
6. sentencedto20 years injail. The company alsosuffereda$170 millionloss.Although$20 millionwas
coveredbyinsurance,theirnetlosswas$150 million. (SecureWorks,2012).
2.2 Target Corporation
On December19, 2013, Minneapolis basedretailgiant,Targetconfirmeditwas aware of unauthorized
access to paymentcarddata that impactedguests makingcreditanddebitcardpurchasesinitsU.S.
stores. The confidentiality breach,whichoccurredfromNovember27to December15, is one of the
largest,high-profile attacksinrecentyears. Hackersmade off withcustomernamesandaccountdata,
includingcreditanddebitcardnumbers,expirationdates,the three-digitCVV securitycode,andeven
PIN data for 40 millionaccountholders. (Krebs,TargetInvestigatingDataBreach,2013) (Perez,2014).
Target CEO at the time,GreggSteinhafel confirmed thatthe attackersstole carddata by installing
malicioussoftware onpoint-of-sale (POS) devicesinthe checkoutlinesatTargetstores usinga
technique thatparsesdatastoredbrieflyinthe memorybanksof specificPOSdevices.âThe malware
capturesthe data storedon the cardâs magneticstripe inthe instantafterithas beenswipedatthe
terminal andisstill inthe systemâsmemory.Armedwiththisinformation,thievescancreate cloned
copiesof the cards and use themto shopin storesforhigh-pricedmerchandiseâ(Krebs,2014)
2.2.1 PCI DSS Failure
Accordingto the reportfrom the breach,itis clearTarget didnâtmeetthe followingPCIDSS
requirementsatthe time of the attack:
ï· Protect CardholderData
3. Protect stored cardholderdata
4. Encrypt transmissionofcardholderdataacross open,publicnetworks
(Moldes,ContractingforPCIDSSCompliance,2009) Fig1.0
7. Fig1.0 showsthe typical flowof data fromthe pointa customerswipesintill he/shereceives
acknowledgementforatransaction. Target failedtoprotectCardholderdatabynot encryptingthe
transmissionof cardholderdatafromthe POSterminal andthroughoutthe transactionprocess.Whena
purchase ismade at the POSterminal,the cardholderdataisstoredtemporarilyonthe live memory of
the computer,where itappearsinplaintext before passedontothe back office server.Thisisclearlyin
violationof the goal thatsays âEncrypt transmissionofcardholderdataacross open,publicnetworksâ.
ï· MaintainaVulnerabilityManagementProgram
5. Use andregularlyupdate anti-virussoftwareor programs
6. Develop andmaintainsecure systems andapplications
Furtheranalysisrevealedthatthe RAMscraper, or memory-parsingmalware thatinfectedTargetâs
checkoutcounters(POS) wentundetected for6days.The malware startedtransmittingthe stolendata
to an external FTPserver,usinganotherinfectedmachine withinthe Targetnetwork.
âThese transmissions occurred several times a day over a 2 week period. The cyber criminals
behindthe attack useda virtual private server(VPS) locatedinRussiato downloadthe stolendata from
the FTP. They continued to download the data over 2 weeks for a total of 11 GBS of stolen sensitive
customer informationâ (Jonathan, 2016).
This showsfailure onthe companyâsabilitytomaintainavulnerabilitymanagementprogram.
2.2.2 Fines
Although,Targetdidnotlose authorizationtoprocesspaymentcardtransactions,non-compliance in
termsof implementationexposedthemtofines.Targetagreedtopay$10 milliontosettle aclass-action
lawsuitimposed asaresultof the breach.
The proposedsettlementwouldalsorequire the Minneapolis-basedTargetCorp.toimplementchanges
to itssecuritypolicieswithin10businessdaysof the settlementbecomingeffective.
Those changeswouldinclude requiringthe companyto
i. Appointachief informationsecurityofficer.
ii. Keepa writteninformationsecurityprogram, whichwilldocumentpotential securityrisks,
and developmetricstomeasure the securityof itssystems.
iii. Offersecuritytrainingto"relevant"workersthateducatesthemaboutthe importance of
safeguardingpersonalidentifyinginformation.(npr,2015)
8. 3. Conclusion
3.1 InterestingDiscovery
A commonscenarioassociatedwiththe PCIDSSoccurs whencompaniesare breachedandclaimtobe
compliantatthe time of the hack. Bothcompaniesdiscussedabove,all claimtobe PCIDSS Compliantat
the time of the attack. We lookat some of the discoveries;
Two weekspriortothe date the paymentsystemwascompromised, HeartlandPaymentSystem was
approvedbytheirQualifiedSecurityAssessor(QSA) asPCIcompliantaccordingto (SecureWorks,2012).
Thissparkeda lot of debate due tothe fact thatmany companiesare believedtohave spentbillionsof
dollarsimplementingPCIrequirementsandbillionsmore inmandatorythird-partycompliance
assessments. Thishasnâthelpedinpreventingthemfrombeingattacked.
Accordingto (Vijayan,2014),the breach at Target Corporation highlightedweaknessesinPCI Security
standards.AlthoughPCImandatescheckingformalware,he stressedthatnone of the typical anti-
malware productscouldfindthe TargetMalware.It isbelievedthatnothinginthe PCIstandardcould
have helpedtargetdetectandblockthe intrusionbefore ithappened.He concludedbysayingPCI
doesnâtmandate next-generationanti-malware securitythatâsstartingtoemerge.
âThe biggestproblemisthe PCIstandarddoesn'trequire companiestoencryptdatainmotion. While
the PCI DSSstandard has requirementsforencryptingdataat rest,there isno suchrequirementfordata
inaction duringthe entire transactionprocessingchainâ.(Vijayan,2014)
3.2 Solution/ Remediation
Afterextensive research,ithasbeenconcludedthatalthoughthe PCIDSSstandardsare not perfect,the
standardis still verymucheffective inensuringprotectionof paymentsystemsand protecting
cardholderdata. Some of the suggestionsbelow woulddefinitelyhelpreduce breachesassociatedwith
paymentcard systems:
i. Newupdatestothe PCI DSScompliance goalsshouldensure that encryptionof dataisnot
onlydone duringtransmission.The new goal shouldindicate thatencryptionof datashould
done at rest,as well asinmotion.Thiswouldclarifythe PCIDSS requirementwhichsays
âEncrypt transmissionof cardholderdataacrossopen,publicnetworksâ
ii. The breachespointoutPCI implementationfailuresratherthana lackof controlsinthe
standardsitself. The partof the PCIprocessthat needschange isthe Compliance
AssessmentProcess.Implementation andvulnerabilityscanning shouldtherefore be carried
out properlybycertifiedsecurityassessorsmore frequentlyinordertoreduce the number
of attacksassociatedwithpaymentsystems.
While PCISSCcan improve the PCIDSS infuture versionsastheyhave beendoingwitheveryrelease,
ultimately,cardholderdatasecurity,andnotjustcompliance isthe responsibilityof eachorganization.
9. References
JonathanJaffe,K.J.(2016). 20131218-Target. Retrievedfromhttp://nc3.mobi/references/2013-detail/
Krebs,B.(2009, January20). PaymentProcessorBreach May Be Largest Ever. RetrievedfromThe
WashingtonPost:
http://voices.washingtonpost.com/securityfix/2009/01/payment_processor_breach_may_b.ht
ml?hpid=topnews
Krebs,B.(2013, December18). Target Investigating Data Breach.RetrievedfromKrebsonSecurity:
http://krebsonsecurity.com/2013/12/sources-target-investigating-data-breach/
Krebs,B.(2014, January14). A First Lookat the targetIntrusion,Malware. Retrievedfrom
KrebsonSecurity:http://krebsonsecurity.com/2014/01/a-first-look-at-the-target-intrusion-
malware/
Moldes,C.J. (2009, August14). Contracting forPCIDSSCompliance. RetrievedfromSANSInstitute
ReadingRoomsite:https://www.sans.org/reading-
room/?utm_source=web&utm_medium=text-
ad&utm_content=generic_rr_pdf_logo1&utm_campaign=Reading_Room&ref=36909
Moldes,C.J. (2015, December7). Compliantbutnotsecure: Why PIC-Certified CompaniesAreBeing
Breached. RetrievedfromSANSInstituteInfoSecReadingRoom:
https://www.sans.org/search/results/PCI+DSS/0/2
npr.org.(2015, March 19). Target offers$10 Million SettlementIn Data Breach Lawsuit. Retrievedfrom
www.npr.org:http://www.npr.org/sections/thetwo-way/2015/03/19/394039055/target-offers-
10-million-settlement-in-data-breach-lawsuit
PCISecurityStandardsCouncil.(2016). Maintaining PaymentSecurity. RetrievedfromPCISecurity
StandardsCouncil:
https://www.pcisecuritystandards.org/pci_security/maintaining_payment_security
PCISecurityStandardsCouncil.(2016). PCI Security.RetrievedfromPCISecurityStandardsCouncil:
https://www.pcisecuritystandards.org/pci_security/
pcisecuritystandards.(2008,October). Understanding theintentsof therequirementsof PCIDSS.
RetrievedfromPCISecurityStandards:
https://www.pcisecuritystandards.org/pdfs/pci_dss_saq_navigating_dss.pdf
Perez,S.(2014, January 10). Target'sData Breach Gets Worse.RetrievedfromTechCrunch:
http://techcrunch.com/2014/01/10/targets-data-breach-gets-worse-70-million-customers-had-
info-stolen-including-names-emails-and-
phones/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+
%28TechCrunch%29&utm_content=Netvibes
SecureWorks.(2012, October25). Risk Management.Retrievedfromwww.secureworks.com:
https://www.secureworks.com/blog/general-pci-compliance-data-security-case-study-heartland
10. Vijayan,J.(2014, January 24). Security failuresat companiescertified as PCIcompliantsuggestsproblem
in the standardsand compliance.RetrievedfromComputerWorld:
http://www.computerworld.com/article/2486879/data-security/after-target--neiman-marcus-
breaches--does-pci-compliance-mean-anything-.html
Wikipedia.(2016,February24). AlbertGonzalez.RetrievedfromWikipedia.