5 Ways to Build an Indestructible Customer Data Fortress
Retailers should use the standards set by the Payment Card Industry as a starting point when ensuring that their customer data is as secure as possible, suggests Kristin Lovejoy, IBM's director of corporate security strategy.
On June 30, data security standards set by the Payment Card Industry (PCI) became mandatory for organizations that handle online credit card payments. This is a significant milestone in the ongoing push to strengthen online security as these important standards have moved from recommendations to hard and fast mandates.
This new era of Web security will have a tangible impact on retailers who will quickly learn how failure to comply with PCI's standards can be costly -- from both a financial and operational perspective. In addition to the hefty fines levied by the card associations, retailers make themselves more susceptible to the potentially disastrous effects of compromised security such as financial and customer losses and damaging effects on brand reputation.
The latest PCI mandate is an impetus for retailers not only to meet these particular requirements, but also to take a second look at their overall security practices and make sure they measure up. Investing appropriately in security now could mean less payout down the road.
The Bigger Picture
The major credit card brands developed PCI's Data Security Standard as a way of ensuring credit cardholder information is kept safe. Constantly evolving threats require equally dynamic measures, and in an age when the flow of information is continuously expanding, the potential for security breach incidents is too. As a result, companies today must not only comply with the PCI standards, but they must also develop an effective, long-term strategy for achieving the security goals they set.
Recent high-profile security breach incidents have exposed some of the pitfalls companies encounter today. Simply following the letter of the law is not enough to ensure sensitive customer data is locked down and fully protected. While PCI standards provide a framework for organizations towards implementing security measures, compliance is not about putting a check next to a box and marking it complete.
Organizations must be careful not to fall into the trap of focusing solely on fulfilling mandates that they lose sight of the greater security picture. They must go above and beyond this level to implement a comprehensive, enterprise-wide IT security strategy.
As it pertains to efforts around PCI DSS compliance and protection of customer data, there are five key issues that organizations must not overlook to improve their overall security stature:
- First, retailers need to be vigilant in managing the chain of custody and closely monitoring how business partners are handling data. Cardholder data can be shared by the retailer with many partner organizations, but PCI requires that all third parties that touch cardholder data must also meet PCI DSS requirements. The organization must ensure that all its partners are handling data responsibly.
- Privileged user access also is important. This means monitoring the activities of those individuals who have root access to sensitive data and implementing necessary controls to ensure information is protected.
- Another major security hazard lies in "unstructured" data -- information outside of databases, typically stored in documents. Growth in unstructured and semi-structured data nears 52 percent annually, and by 2010, it will exceed the amount of structured data stored by the enterprise, according to estimates by IDC. It's critical to organize and manage unstructured data, as it can facilitate random access and leakage outside the organization.
- Additionally, shared accounts and passwords are often culprits of security breaches. Shared passwords are used 73 percent of the time to manage network devices, according to the Password Research Institute. This makes it impossible to track and monitor user activity, prove segregation of duties, restrict access to cardholder data based upon principle of least privilege, etc. Organizations must also employ unique user IDs. Even if the privileged users are trustworthy employees, from a compliance and audit perspective, the organization cannot possibly prove appropriate access restrictions.
- Lastly, default passwords and settings left unchanged -- particularly at the organization's perimeter -- are an open invitation to hackers. Organizations should do a thorough check for default settings. Although most organizations have a "no default" mandate in their written policies, enforcement is not always vigilant.
Avoiding Costly Consequences
PCI offers a sensible approach to securing data, and a set of standards which will continue to evolve as threats change and increase. Using PCI requirements as a litmus test, retailers can implement measures to meet present demands while working to ensure they have the security system in place to combat future threats.
While there is no one-size-fits-all solution to security, addressing these five issues provide a starting point for retailers as they focus on their compliance efforts and implement a more comprehensive approach to securing customer data. Taking PCI's guidance seriously can help them avoid costly consequences, and with the appropriate controls and methods in place, organizations are better equipped to thwart potential threats.
Kristin Lovejoy is IBM's director of corporate security strategy.