Mar 18 2010

Mary’s Pizza hit by hackers

Category: Identity Theft,pci dssDISC @ 3:32 pm

Information Security Wordle: PCI DSS v1.2 (try #2)
Image by purpleslog via Flickr


There is a big misconception out there that PCI DSS compliance does not apply to us, we are relatively small company


The fact is PCI DSS must be met by all organizations that transmit, process or store payment card data. Also business owner want to know what is ROI on PCI compliance. It is the total cost of ownership which ensures that you keep earning big money. DISC


By MIKE McCOY
THE PRESS DEMOCRAT

Patrons of Mary’s Pizza in downtown Sonoma will be alerted this week that their credit card numbers may have been stolen by an international computer hacker.

Vince Albano, chief executive officer for the 18-store chain, expects to receive a report by Friday detailing the breadth and timing of the breach.

Once that is known, Albano plans to take out newspaper ads to warn diners who ate at the Spain Street outlet during that period that they might want to cancel their credit cards and get new ones.

Albano said his company doesn’t have the ability to notify potential victims directly because the credit card companies won’t release their names.

The breach was first discovered by the restaurant’s in-house technology expert on Feb. 10 after friends and customers called to complain about errant charges on their credit cards, Albano said. He hired a Chicago-based high-tech forensics firm, Trustwave, to pinpoint the problem.

“Trustwave said they traced it to Russia but I also heard it may be Luxembourg,” Albano said of the suspected location of the hacker.

Albano said his company immediately notified banks and credit card companies of the breach to stop further illegal charges to his customers.

Mary’s may not be the only business hit by the hacker, Albano said. Customers at other businesses in the Sonoma Valley also reportedly have been hit, he said.

“We are addressing the issue but the issue is larger than Mary’s Pizza Shack,” he said.

The Sonoma County Sheriff’s Department is heading up the investigation.

Albano declined to speculate how many of his customers may have had their credit card numbers stolen. Pending Trustwave’s report, he declined to say over what period of time the thefts occurred or how many of the cards were fraudulently used.

But he said his company has invested $20,000 to make the computer systems at all 18 outlets “100 percent protected.”

“We want to do right by our customers. We have been locked down tight since Feb. 23,” he said.

Read more in the Press Democrat.

Here we have another unnecessary credit card data breach in a small organization which resulted in a loss of customers data demonstrating poor baseline security of small organization in this case a restaurant. Small organizations are not ready for PCI Compliance. Checkout why PCI Compliance is essential and why small merchants have to comply. Review my threats page and evaluate your current business and system risks to make sure this does not happen to you.
Contact DISC for any question

Tags: Chief executive officer, Credit card, Payment Card Industry Data Security Standard, Sonoma Valley, Total cost of ownership


May 28 2009

PCI compliance is essential and why you have to

Category: pci dssDISC @ 3:18 pm
Image result for pci dss compliance

 

During this down turn economy organized cyber crime is a booming underground business these days. Most of the security expert and FBI agree that cybercrimes are on the rise and pose a biggest threat to US vital infrastructure. Cybercriminals are thieves in cyberspace who will swipe the sensitive data and sell to other criminals in their community, who might turn around and ask for ransom to keep the data private or perhaps resell to the highest bidder again in the black market. The risk of getting caught is minimized by legal jurisdiction and neglected by huge monetary gains. Motivated by potential gains, cybercriminals are determined to exploit the vulnerabilities of the target rich environment. Another issue to this problem is that our personal and private information has potential to be exploited at various locations such as banks, credit card companies, credit debit card processor, credit report companies and merchants etc…

Level 1, 2 and 3 merchants usually follow security best practice, allocate enough resources and try to maintain PCI compliance. On the other hand level 4 merchant are usually not compliant and have security vulnerabilities which are easy picking for cybercriminals, which is a primary reason why more security breaches happens to level 4 merchants. PCI was apparently created to safeguard the credit card and debit card data. PCI DSS standard are managed by PCI Security Standard Council.

The most significant reason to comply with PCI is because you have to.

 

PCI DSS address the baseline security for payment card infrastructure and ROI is a total cost of ownership. PCI DSS cannot guarantee absolute security but making organization to adhere to due care security justify its cost and use. As far as liability goes the security breach will be very detrimental in the state of non compliance which will include fines, legal fee and possibly lose the credit card processing ability. To motivate themselves, merchants should also remember that their customer’s data is worth a lot of money to cyber criminals.

The trick is keeping the state of compliance – true security of credit card holder data requires nonstop assessment and remediation to ensure that likelihood and impact of the security breach is kept as low as possible. PCI compliance is not a project; it’s an ongoing process of assessment. PCI assessor utilized defined set of controls objectives to assess the state of compliance. PCI provides an option of doing internal assessment with an officer sign off.
Merchants should monitor and assess to keep compliance on ongoing basis. Implement defense in depth mechanism and apply security control at every layer (network, application, operating system, and data). The idea is to make their job hard enough so the attacker moves on to easier target.

Check my previous posts regarding PCI DSS.
pci-dss-misconceptions-and-facts
pci-dss-significance-and-contractual-agreement

Vulnerability Scanner that scans your machine, reports back on vulnerabilities, and provides solutions to fix them

 

Recommended books to implement PCI DSS compliance process

 

Tags: Credit card, defense in depth, level 4 merchant, Merchant Services, pci dss, PCI Security Standard Council, roi, Security, Total cost of ownership