21 Oct 2013 Hackers are hungry – the dangers of storing credit cards locally
The amount of sensitive data on the servers of mid-to-large enterprises can be quite shocking. Included in the data could be credit card numbers. Locally storing your customer’s credit card data can be a risky proposition as your company could fall victim to a costly data breach.
Many large enterprises keep multiple copies of their customers’ payment data on old legacy systems whose underlying technologies remain solidly rooted in the 1960s. Because these systems are transaction-based rather than customer-based, their interoperability with internal audit and accounting processes is severely limited. To make matters worse, organizations often don’t know where sensitive data resides on those systems and have no control over it.
According to a recent EiQ Networks survey, the biggest security nightmare that keeps IT pros, network and systems engineers awake at night is fear of an external breach. Of 272 respondents from industry sectors such as healthcare, financial services, government and retail, 25 percent admitted they wouldn’t know how long it would take their company to find the root cause of a security breach. For instance, while corporate mobile use is steadily on the rise, monitoring of the channel is still behind. 50 percent of security pros surveyed in the EiQ study said they monitored less than one-fourth of mobile devices in real time.
Small Businesses are also at Risk!
Small businesses aren’t immune to cyber threats. They might be a smaller target, but they are a target nonetheless. According to Symantec, 50 percent of all targeted attacks were aimed at businesses with fewer than 2,500 employees.
Many small businesses violate PCI compliance requirements by storing unsecured customer information – including customer credit card data. This leaves them vulnerable for cyber thieves who wait in the weeds for opportunities to compromise their servers.
Inside the Minds of Hackers
Hackers think day and night about how to invent and execute a stealth attack and find pathways that offer the least resistance for the greatest payoff. Many work for organized crime syndicates and are masters of social engineering. They piece together bits of information to help them more easily penetrate weak systems and lure unsuspecting targets into clicking on links in seemingly genuine emails. As a result harmful malware is unleashed that compromises computers or allows keystroke logger robots to collect sensitive information.
Cyber thieves see high rewards for their sneaky efforts. Recent media has been filled with news of data breach horrors that have resulted in significant financial gains for hackers. The latest involves a massive global credit card fraud scheme by four Russians and a Ukrainian in what’s being called the largest hacking and data breach scheme ever prosecuted in the United States. The conspirators are accused of running a worldwide hacking operation that penetrated the computer networks of more than a dozen major U.S. and international corporations, stealing and selling at least 160 million credit card numbers, and causing at least $200 million in fraud-related losses.
Making the Right Choice for Credit Card Storage
If storing credit card numbers is essential to your business, and you plan to continue to store this information on your servers, take tips from our blog “Bullet-Proofing Your Business Against a Credit Card Breach.” Keep in mind that protection is priceless – so partnering with an expert may be well worth the peace of mind and transfer of liability.
When evaluating vendors for credit card storage, make sure they have deep security capabilities and a like-minded business focus. Confirm that they’re PCI-compliant, audited every year by an independent third party and Tier-1 certified. Tier-1 certification ensures that every feature, function and operational element of a company’s services meets the highest levels of data security mandated under the PCI DSS.
For good measure, consider outsourcing your credit card storage to a PCI DSS compliant tokenization vendor. Tokenization completely removes credit card data from a company’s internal networks and replaces it with a unique, generated placeholder, or “token” – much like emptying a warehouse so that a thief has nothing to steal. And even if the warehouse is found, the contents won’t be useful to the thief.
From the Buyer’s Perspective
If you’re a purchaser of goods or services, are you sure that your supplier is safely storing your credit card information? Inquire about their PCI compliance. Ask them if they’re storing your credit card locally, or if they’re tokenizing your card data at a secure offsite location. The goal is to comfortably conduct business with your suppliers via secure methods.
Rick Ricker is Vice President of Business Development for Enterprise Payment Solutions at 3Delta Systems. He is responsible for the strategic development and management of the CardVault tokenization service and for sales to enterprise customers.
