Target lawsuit a ‘call to action’ for PCI DSS compliance

The lawsuit against US retailer Target and its security partner Trustwave should be a call to action for organisations that are not fully compliant with the latest PCI DSS standard.

Target and Trustwave are being sued by two US banks for losses that could top US$19bn, following the company's massive data breach in November 2013. According to the lawsuit, Target knew in 2007 its systems were vulnerable and decided to outsource data security to Trustwave.

Despite advertising "deep expertise" in payment card industry compliance, Trustwave failed to bring Target's computer systems up PCI DSS standards, the lawsuit alleged.

The Payment Card Industry Data Security Standard (PCI DSS) is a set of guidelines drafted by card companies. Any organisation that processes, transmits or stores credit card details must follow the detailed set of rules to ensure the security of those credit card details. In November 2013, version 3.0 of the standard was introduced.

The mistake made by many companies -- including Target -- is that they view PCI DSS compliance as a once a year scramble to achieve compliance, rather than a continued effort to maintain the standards, Eric Maya, director at IP Solutions International, told iTnews.

“Many large organisations have treated PCI DSS as a point in time project, not as an ongoing concern,” he said.

“As you can see with the Target breach, they were supposed to be PCI DSS compliant. They went through the process to become compliant and then within a short period of time they fell out of compliance.”

Founder of pen-testing firm Threat Intelligence Ty Miller said in a blog post earlier this year PCI DSS had created a "gold plated bar hanging from the ceiling that organisations are trying to reach".

"This has led to a large percentage of companies either unable to achieve, or failing to achieve, PCI compliance," he wrote.

"Security is an ever evolving beast. If you stand still, I can guarantee you that you will fall behind and become another news story about your data being leaked onto Pastebin."

US telco Verizon found in a January 2014 report on PCI DSS compliance only a small fraction of companies maintain their compliance levels over a 12 month period.

“Some companies still treat compliance as a one-off annual scramble that the security team owns and the rest of the business grumbles about," the report stated.

"But if you don’t work at compliance, just one new uncontrolled wi-fi access point, unprotected admin account, or unencrypted drive could take you out of compliance”.

The initial Target breach would not have exposed so much data if the environment been PCI compliant, Maya said.

"A PCI compliant environment would have appropriate controls in place to prevent the variant of BlackPos malware being deployed," he said.

"In addition, PCI compliance requires a business to have a thorough understanding of business partner connections and access to ensure all entry points have controls around them to prevent unauthorised access."

Under the PCI standards, Maya said, a business is also meant to assess all potential locations for storage of cards.

"System Memory is also a storage location and it's not a difficult task to search for stored cardholder data in memory. Which we understand was how that breach started - memory scraping malware," he said.

However, even achieving 100 percent compliance will not guarantee data safety because of flaws in the system itself, Miller said.

"The PCI standards can’t cover every new attack technique or every piece of malware from every organised crime or hactivist group, so achieving PCI compliance isn’t the end of the road," Miller said in the post.

"There are far more security controls and procedures that need to be put in place to ensure that your organisation doesn’t fall victim."

Maya agreed compliance alone did not necessarily guarantee protection, but recommended it as part of a wider process of ensuring the security of the IT environment.

"If you’re not treating PCI DSS as a ‘business as usual’ process, then [the Target lawsuit] is a call to action."