Page 38 - index
P. 38
!71 2. %22%0 0.2%#2 312.,%0 !0$ !2!
By Avery Buffington, Information Security Architect, SecureNet
Lately, it seems as though we’re reading about a new data breach every day. From retail
breaches, like Target and Michael’s, to corporate credit card breaches, such as Visa and
most recently American Express cardholders in California, we are experiencing a turning
point in security. Customers are less trusting of businesses and wary of paying with credit
cards. Whether you’re a developer, security analyst or IT professional, consider the following
best practices for protecting your customers’ card data and defending against a data breach.
Encrypt from point-to-point (P2PE). Simply put, card data in plain text format is in its most
vulnerable state. Encryption can transform the plain text information into an unreadable
code, known as ciphertext. When a card is swiped by a merchant that uses a P2PE solution,
the data can only be decrypted by the card processor. This mitigates many of the weaker
security points exposed when cardholder data is captured by a point-of-sale terminal in
plaintext or decrypted in a back-of-house merchant system prior to sending to a processor
for authorization. Encrypt card data from point-to-point and you’ve taken the first step in
protecting your customers from attack.
Tokenize data. Many security players in the financial industry taut the ability to tokenize
post-authorized credit card data. This means the information is tokenized only after it has
been sent to the processor and bank for authorization and is on its way back to the merchant
to complete the transaction. Tokenizing pre-authorized transactions, typically e-commerce
transactions, allows users to register their payment methods with the payments processor’s
secure vault. This raises security to a new standard and is not as commonplace in the
industry. Customers’ card sensitive data never touches the retailers’ servers in plaintext
because the merchant saves it in a tokenized form. This differentiator is critical if you
consider the fact that most well-known data breaches (like that on Target) take place at the
merchant server level.
DLPs, FIMs and HIDs. Data Loss Prevention systems can potentially stop a breach at the
source. Beyond the standard security measures of firewalls, intrusion detection systems and
antivirus, consider advanced DLP solutions that use heuristics, machine learning and
reason-based algorithms. For example, behavioral pattern or traffic analyses can detect
abnormalities within the server. Designated DLPs can use data matching and statistical
analyses to prevent or detect unauthorized attempts to copy sensitive card data. File
Integrity Monitoring and Host Intrusion Detection systems are both internal security controls
that use baseline comparisons to monitor the behaviors of a computer system and detect
changes. DLP, FIM and HID systems should all be considered part of the DLP “system,”
working in conjunction to alert analysts of suspicious activity that could indicate compromise
or data exfiltration.
Egress filtering. Ensure stringent egress filtering standards are in place to both monitor and
restrict the flow of data across networks. Most are familiar with utilizing firewalls to prevent
malicious traffic from entering your server, but firewalls should also be leveraged to prevent
arbitrary traffic from leaving an internal network. In a corporate setting, all traffic, save for a
! " $
! # ! "
