Sophos at BSides Austin: Credit card security and PCI DSS compliance, post-Target

Sophos expert Chester Wisniewski has become the go-to guy when it comes to understanding credit card security. Last week, Chet was the featured speaker at BSides in Austin, Texas, where he talked about the Target credit card data breach, the evolution of credit card fraud, and what the next steps are as we try to prevent future retail data breaches.

The folks from the popular tech website Slashdot caught up with Chet after his presentation for an interesting, impromptu conversation about what the enormous Target breach means for retailers, banks, and consumers.

Chet talks about how retailers including Target were victimized by malware on their point-of-sale (PoS) systems, and how credit card processing in the U.S. — which still relies on old-fashioned magnetic stripe cards — is far less secure than in the rest of the world, where cards have cryptographic chips.

In his interview with Slashdot, Chet says the road to implementing chip cards in the U.S. is still a bumpy one, with retailers, banks, and Congress struggling to agree on how to move forward.

Despite the cost involved in upgrading PoS systems and replacing magnetic stripe cards, the improvement in data security could be dramatic.

“Now, the fraud we’re talking about in particular is what we call retail fraud,” Chet tells Slashdot. “And in countries like the United Kingdom that have had chip-and-PIN for some time, retail fraud was reduced 80% by the introduction of the chip instead of the stripe.”

Check out the video of Chet’s interview at Slashdot.

What about PCI DSS?

Retailers and other businesses that handle credit cards must comply with the Payment Card Industry Data Security Standard (PCI DSS). But even full compliance with the standards isn’t enough to prevent data theft.

As we saw in the Target case, PoS malware allowed cyber crooks to steal payment card data from 40 million customers because the card data is unencrypted on PoS machines, even though it’s required to be encrypted everywhere else.

Target’s network was infiltrated by crooks who used stolen credentials from a third-party vendor with no access to the payment card data system. But once they had the credentials to gain access to Target’s network, the hackers had little trouble getting into the PoS system because it was not isolated.

As Sophos security expert John Shier explains at Naked Security, these system-level security holes are perfectly fine under the PCI DSS.

Interestingly, the PCI DSS mentions network segmentation and isolation hardware in its list of "in scope systems," and strongly recommends that you use this sort of technology. 

But the standard does not require the segmentation or isolation of the CDE [card data environment] from other operational networks.

Target’s breach and PCI DSS

You can hear Chet discuss the Target data breach and PCI DSS in this episode of the weekly Chet Chat podcast. Skip ahead to the 3:50 mark for the discussion on Target and credit card security.

The Target data breach and PoS malware: Learn more

• What we learned from the Target data breach about PoS security (Presentation)
• Target, Neiman Marcus card data thefts, RAM scraper malware, and you
• Video: Sophos expert talks Skype, Snapchat and Target hacks on Bloomberg TV
• Target data breach: What retailers and consumers can do
• Will U.S. credit cards finally get cryptographic chip and PIN technology?
• Credit card data in cybercrime market shows Sally Beauty was breached

SafeGuard Encryption for complete data protection

As we have seen again and again, encryption is essential in today’s security environment. In a short video, we show you how you can get the best encryption for security and performance, while also protecting data everywhere it resides.

Learn more about how the new SafeGuard Enterprise solves the major challenge of managing encryption across multiple platforms, devices, and cloud environments.