“Dear Valued Customer,
As you may have heard, on September 8, 2014, we confirmed that our payment data systems have been breached, which could potentially impact customers using payment cards at our U.S. and Canadian stores.”
This is an excerpt from an actual email distributed by a large retailer, in the wake of a massive data breach jeopardizing over 50 million credit cards. Since 2004, Payment Card Industry Data Security Standards (PCI DSS) has stood as a core regulation aimed at thwarting breaches like the above, and any organization that accepts, transmits or stores cardholder data must comply.
Now, here’s the shocking truth: In the latest PCI Compliance Report conducted by Verizon, none of the companies it had investigated in ten years had been fully PCI compliant at the time they were breached.
In many cases, companies achieve total PCI compliance once but don’t sustain it. According to the Verizon report, 80 percent of companies fail at interim assessment. Technology moves quickly, and compliance solutions and policies implemented in past years may not be enough to stand up to modern security threats.
Other organizations believe that they don’t have to worry about protecting data. They believe their business is too small to be the target of hackers, or too large and successful to be using outdated, inadequate security practices. Sometimes they believe that data breaches only affect big retailers, not other industries.
But PCI compliance needs to be taken seriously by everyone or the consequences can be devastating. Here are three organizations that experienced the detriment of non-compliance.
#1: Data Breach at Home Depot Compromises 56 Million Credit Cards
In what went down in history as one of the worst retail data breaches of all time, malware infected Home Depot point-of-sale systems and stole millions of customer credit and debit cards. The Home Depot attack seems to be a case of relying on inadequate software solutions and policies for data breach prevention. Employees later said that the company used outdated antivirus software and failed to monitor the network for unusual behavior.
PCI standards require routine vulnerability scans, but according to employees, more than a dozen systems handling customer information were not assessed and were off limits to much of the security staff. In Home Depot’s case, investing in a security software with the ability to audit security infrastructure for PCI compliance, may have been the difference between a $19.5 million data breach settlement, and business as usual.
#2: Office of Personnel Management Data Breach Affects Millions
After hackers attacked the Office of Personnel Management (OPM)’s servers and stole the personnel files of 4.2 million former and current government employees, as well as the security clearance background investigation information of millions more, a congressional investigation uncovered the organization’s security shortcomings.
Among many other findings, the report took especial issue with the department’s lack of two-factor authentication for employee access to sensitive data, claiming it was an oversight that could have prevented the security breach. This points to a key problem that PCI compliance is meant to address. It’s not enough to encrypt and protect your files during transfer, you need to monitor internal actors as well. A robust security solution will authenticate users, give them only the access they need, and maintain a detailed log of each user’s actions.
#3: Over 45 Million Credit Card Numbers Stolen in TJX Breach
TJX Companies, owner of popular home brands such as TJ Maxx, Marshalls, and HomeGoods, experienced a data breach in which more than 80GB of cardholder data was stolen over a period of 18 months. Before the company was able to detect and halt the breach, 45.6 records had been stolen.
Documents filed in court after the breach claimed that TJX had failed to comply with nine out of the twelve PCI DSS requirements. Factors contributing to the incident included an improperly configured wireless network, a failure to segment networks carrying cardholder data from the rest of TJX's network, and the storage of prohibited data. Two members of the PCI Standards Council later pointed to PCI compliance as the clearest way to protect data against a TJX-style breach.
PCI Compliance Can be Tricky, We Get It.
No company embarks on an initiative to avoid PCI compliance. You are trusted by your customers, partners and vendors to take the proper measures to secure and protect their sensitive payment data. It’s that trust that has kept your company successful for so many years!
We read about data breaches and attacks like these in the news on a regular basis, but we don’t pause often enough to audit our own data security practices. IT infrastructure in today’s enterprises is increasingly complex, especially for large companies with systems spread around the world like Home Depot. Add to that the fact that PCI compliance has multiple, complex requirements, and it can be daunting for IT and security teams to implement a sustainable process that ensures ongoing compliance.
PCI DSS compliance can be greatly simplified by using software solutions with features designed to help you achieve security and compliance. This type of software addresses PCI requirements, provides the information you need to satisfy an audit, and in some cases even helps you check whether you are meeting compliance standards.
PCI Compliance with Secure Managed File Transfer
File transfers are an essential point of vulnerability to consider when developing your security strategy. The most common file transfer pitfall is relying on inadequate methods such as poor FTP implementation practices, file sharing apps, and unencrypted email attachments.
A secure managed file transfer (MFT) platform guards your sensitive data against attacks with robust security and encryption methods, all while streamlining the file transfer process and saving your team time and resources that can be used to tackle other potential security issues. Furthermore, a good MFT solution will have features like detailed audit logging and compliance assessments to eliminate the headache involved with ensuring your file transfers are compliant.
To make protecting data transfers as easy as possible, make sure your managed file transfer platform provides:
- Secure connections for the transmission of sensitive data
- Integration with existing critical applications
- Role-based security and user authentication
- Strong encryption methods
- Detailed logs for audit reporting
Securely managing your data transfers is just one aspect of achieving PCI compliance, but it is an essential step toward fully protecting your enterprise against security threats.
Interested in learning more about PCI DSS compliance? Explore our PCI DSS resource section for requirement details, industry whitepapers and recent articles.
Assess the PCI compliance of your file transfers for free when you try GoAnywhere MFT for 30 days. Sign up for a trial here.