Over the past month or so I’ve been discussing the Payment Card Industry (PCI) Data Security Standards (DSS) with some of my information assurance practitioner friends and colleagues and what they’ve been doing to meet the requirements and accompanying challenges. I was thinking about some of the issues over the weekend.
Last night I watched a very interesting show on identity theft on Dateline NBC.
The show highlighted how quickly and widely throughout the world cybercriminals will use personally identifiable information (PII) to make charges to drain victims’ bank accounts through debit cards and credit cards. Within just a couple of minutes in the situations shown. Amazingly fast…throughout the entire world!
It really highlights how those statements made from organizations that experience breaches and say such things as “There is no evidence that the PII stolen (or lost) has been misused” really are made just to placate public opinion about the breach. Chances are PII taken by data thieves has been very widely and quickly sold and used. Be sure to check your credit card and bank statements closely; particularly when so many organizations that experience breaches do not provide credit monitoring based upon these “no evidence” statements. (Responding to breaches appropriately is another very important issue to discuss in another post…)
As I watched the Dateline show I thought about the types of impacts covered in the show that could be prevented with comprehensive implementation of PCI DSS.
There are many, of course, that CANNOT be prevented, such as exploits through the end-users through phishing schemes.
However, organizations COULD prevent a noticeable amount of the crime discussed by implementing the PCI DSS. For example, much PII is lost through stolen, lost, and thoughtlessly disposing of mobile computing devices and storage devices. What does PCI DSS require that is related to this? Here are a couple of passages.
“1.3.9 Installing personal firewall software on any mobile and employee-owned computers with direct connectivity to the Internet (for example, laptops used by employees), which are used to access the organization’s network.”
Many of the hackers that steal PII that they then subsequently sell and use for cybercrime are able to get into end-users’ computers because there is no firewall installed, or the firewall is not configured appropriately. If companies would enforce the use of properly configured firewalls on their workers’ mobile and remote computers the number of crimes could be reduced.
“Requirement 3: Protect stored cardholder data
Encryption is a critical component of cardholder data protection. If an intruder circumvents other network security controls and gains access to encrypted data, without the proper cryptographic keys, the data is unreadable and unusable to that person. Other effective methods of protecting stored data should be considered as potential risk mitigation opportunities. For example, methods for minimizing risk include not storing cardholder data unless absolutely necessary, truncating cardholder data if full PAN is not needed, and not sending PAN in unencrypted e-mails.”
Yes, if unauthorized people, such as the criminals that are so abundant and anxious to get their hands onto PII, get hold of *ENCRYPTED* PII, they will not be able to do bad things with it! The credit card companies demonstrate the importance of encryption by saying it is an important component of the PCI DSS.
I’ve blogged many times about the need to encrypt PII, particularly on mobile computing devices and storage devices, such as here, here, here, and here.
What would be really interesting is if Dateline, or some other investigative reporter or show, could do an experiment to show how many bait credit card numbers would be exploited on systems that do *NOT* follow PCI DSS versus bait credit card numbers on systems that *DO* follow PCI DSS.
Hmm…
Tags: awareness and training, customer privacy, cybercrime, Dateline, encryption, firewall, government, identity theft, Information Security, IT compliance, mobile computing, NBC, PCI, PCI DSS, personal privacy, policies and procedures, privacy, privacy incident