Three Examples of PCI DSS Non-Compliance and What You Can Learn from Them

PCI DSS feaured

The public and private sectors have been increasingly under assault by hackers looking to take information–whether for espionage, blackmail, or profit. And while some of the past few years’ high-profile government and industrial attacks have been at the center of many cybersecurity stories, the reality is that hacks in the retail and consumer spaces have been incredibly impactful.

In fact, some of the largest data breaches have been due, in part, to a lack of compliance with PCI DSS standards… and this presents a major challenge for merchants and payment processors who want to protect their customers’ information. 

Here, we’ll cover three major security breaches related to PCI DSS compliance and what you can learn from them.


PCI DSS Through the Past Decade


With the publication of the latest PCI DSS 4.0 standards, the Payment Card Industry (represented by major payment providers like Visa, Mastercard, American Express, Discover, and other processors) continues its attempts to develop security practices that meet the challenges of modern commerce. 

Some of these challenges include:

  • Digital Storage of Cardholder Data: Many merchants and processors store cardholder data for business purposes, including subscription management or streamlined purchasing. Databases of personally identifiable information, including primary account numbers (PANs), addresses, phone numbers, and authentication credentials. 
  • Online eCommerce: Even before COVID-19 and the spike in online activity, people were turning to online commerce centers to buy goods and services. Now, with even the most common daily activities (like grocery shopping) now done online, the use of PANs for digital purchases is at an all-time high.
  • Mobile Commerce and Application Purchases: Alongside digital purchasing, more and more customers are using mobile devices to bank, shop, and exchange money. Many of these exchanges happen through online storefronts and digital apps connected to mobile hardware that allows for authentication through device IDs or biometrics.
  • Phishing: Phishing has remained one of the most popular and effective forms of digital attack in the wild, and consumer financial transactions are at the forefront of these attacks. Hackers are not only attacking payment processing systems or consumers directly… They are also using social engineering to gain access to hardware vendors and managed service providers to launch attacks against unsuspecting organizations.

These all play a smaller or larger role in prevalent hacks, and as such new PCI DSS standards have attempted to address these attacks with updated requirements.

However, no requirement can mitigate mistakes. Some of the largest companies in the world have made such mistakes, and it’s cost them.


Target and Listening to Your Security Tools

In 2013, Target experienced a massive breach of its databases, affecting roughly 110 million customers. These customers had their names, mailing addresses, email addresses, and credit and debit card information stolen or compromised–the hackers made off with over 11 gigabytes of data. 

So, what went wrong? Target and security experts reported to main causes: social engineering in the supply chain and a failure to monitor security alerts.

  • Monitor Third-Party Relationships: Ironically, it wasn’t a breach of a massive software or cloud provider that rendered Target vulnerable but a phishing attack against a refrigeration contractor working with Target for their refrigeration units. The hackers used email phishing to gain authentication credentials for their internal systems–systems that included logins for accounts to Target internal portals. Furthermore, the contractor did not use modern enterprise security, opting for a free version of Malwarebytes instead.
  • Pay Attention to Security Warnings: While it isn’t completely clear how the hackers used these credentials to gain access to Target systems, they did gain access. At this point, they moved laterally to infect internal computers and POS systems. Target did use an enterprise anti-malware application from FireEye that did raise alerts for the presence of malware, but those alerts were not responded to. 

What We Can Learn: Third-party security is a necessary part of security and compliance, and an attack from a trusted vendor network can come from literally any vendor. Furthermore, even if your company meets compliance requirements, they are completely useless if you aren’t operating them properly and within the guidelines of PCI DSS. In this case, that includes paying attention to alerts, scanning systems, and performing regular system security and security tool effectiveness audits.


Heartland Payment Systems and Going Beyond PCI DSS

Heartland Payment Systems announced in 2009 that they had been a victim of a data breach that had occurred the previous year. This was the largest data breach known to date, with an estimated 100 million cards stolen and 650 connected financial services compromised. Hackers were able to take the information, which included information from magnetic stripes and create fake cards that they could sell online. 

Heartland’s security, technically, was PCI-compliant… but only barely. By some means, the engineering teams involved in developing secure systems for the company could implement compliant technology that didn’t necessarily cover the security needs they faced. Subsequently, hackers could use a SQL injection to install malware that went undetected for nearly a year. 

What We Can Learn: Compliance “by the letter of the law” isn’t always sufficient. Following this idea, it’s critical to understand PCI DSS as a guideline from which to start. That proper security may only come when you can integrate PCI requirements into your specific business use cases. 


Equifax, Patches, and Network Security

Sometimes, security incidents come in the gaps when security experts don’t yet know vulnerabilities exist. Unfortunately, this gap can stay open for months or years if companies do not take the right steps to patch their software. 

This was the case for Equifax. The credit reporting service was the victim of a hack in 2017 that originated from a bug in the Apache Struts software (CVE-2017-5638). After an investigation of the hack, it became apparent that a lack of system hardening, data obfuscation for information at rest, and regular and emergency software update and patch maintenance led to a massive breach that affected 143 million consumers, their personal information (including Social Security Numbers) and credit card numbers.

  • Deploy Patches Immediately: Security flaws are a major problem, especially if they are announced as zero-days that are being identified and patched in real-time. 
  • Ensure Auditing Tools Work Correctly: it’s absolutely critical that any system containing credit card data or other private information be audited, and that those auditing tools remain effective. There was evidence that auditing tools used by Equifax weren’t picking up the tell-tale system and file-level events that could have alerted administrators. 
  • Maintain Internal Network Segmentation and Authorization Controls: Networks should always be protected, with tight authorization controls and segmentation to prevent lateral movement between systems.

What We Can Learn: Minimize system exposure by using zero-trust architecture wherever possible, isolating networks that carry account information and requiring strict role-based authentication for access across any relevant resource. Encrypt account information and never store clear-text credit card information. And always, always patch critical vulnerabilities, especially those associated with common server or infrastructure apps like Apache.


Meet PCI DSS Requirements and More with Continuum GRC

Compliance is one thing, but security as a best practice requires you to know the resources that contain and process credit card information. That’s why it is critical to use a system that helps automate the letter of the law of PCI DSS compliance, while providing support for the ongoing maintenance and risk assessments that make real security possible. 

Continuum GRC is cloud-based, always available and plugged into our team of experts. We provide risk management and compliance support for every major regulation and compliance framework on the market, including:

  • FedRAMP
  • StateRAMP
  • NIST 800-53
  • DFARS NIST 800-171
  • CMMC
  • SOC 1, SOC 2, SOC 3
  • PCI DSS 4.0
  • IRS 1075
  • ISO 27000 Series
  • ISO 9000 Series

And more. We are also the only FedRAMP and StateRAMP authorized compliance and risk management solution in the world.

Continuum GRC is a proactive cyber security®, and the only FedRAMP and StateRAMP Authorized cybersecurity audit platform in the world. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.

Continuum GRC