Subway has been the subject of intensive scrutiny and media attention since it came to light that its POS system was found to be vulnerable and that several credit cards had been electronically stolen from them by an overseas crime syndicate. This month, several of the computer hackers involved with the theft admitted that their activities resulted in about 146,000 accounts being compromised over the span of two to three years. Current estimates put their total criminal enterprise to be responsible for about $10 million in theft.
There are certainly two lessons to be learned by this story by anyone who takes credit cards as part of their business:
1. PCI (the standard designed to keep credit cards safe) is not a one-time effort. You must maintain the things that PCI demands at all times, 24 x 7 x 365. Too often, people hope to implement some security and then forget about it. Hackers are constantly getting better at their craft, so anyone trying to keep credit cards safe must always be monitoring and improving their security.
2. What your location can send out the on the Internet is just as important as what you prevent from coming into your store from the Internet. Most people recognize that hackers are constantly roaming the Internet and trying to break into your store by finding a vulnerable system that is attached to the Internet. This is comparable to the 1983 the movie "War Games". The truth of the matter is that more data is lost by compromises that happen inside of the store than external hacking that steals data. More often than not, a user gets some malware (malicious software) that is designed to steal credit cards. That malware then gathers up the data and sends it to a hacker on the Internet who is waiting for the data. Just imagine that a compromised POS station is recording credit cards as they are processed, and then once a day it is sending an e-mail to its creator with all of the credit cards you processed today.
You must take a holistic approach if your security will be successful. You have to stop hackers from coming into your environment and prevent unauthorized data transmissions from leaving your stores. You must consider everything you do within your operations as it pertains to security because a hacker only has to be successful once to get past your defenses. You have to be successful all the time in order keep them out.
Bradley K. Cyprus has more than 20 years experience in the security industry. He manages the development of in-house solutions to validate compliance, and he is a resource that Vendor Safe customers can rely upon to help interpret the PCI standard.