Securing retail card holder data in a turbulent economy

By Robert Grapes, Chief Technologist, Cloakware

Securing card holder data is not a new concern; retailers have to be vigilant in securing their customers data. However one of the biggest shortcomings of the industry is the lack of acknowledgement of the risk surrounding their payment systems and processes. There has been a failure to manage credentials and privileged access to these systems, leaving many organizations vulnerable to data theft and company ruin.

To aid in preventing the theft of payment card information, key industry players including Visa and MasterCard created the Payment Card Industry data security standard (PCI DSS), which outlines best practices for securing card holder data. Merchants and other organizations that collect and store payment card information are responsible for implementing and adhering to the PCI standard.

Several of the PCI requirements have implications on  how organizations manage the passwords it uses in its IT operations, however not all organizations realize the extent of the number of passwords need to be protected, changed and monitored. Of the three types of passwords in an organization, typically only the end-user accounts are the ones being actively secured. The other two password categories – elevated privileged passwords (sysadmins, etc) and application-to-application passwords (hardcoded and scripted) – are rarely changed, , and often a ‘head in the sand’ approach is taken.

As much as organizations choose to ignore these passwords, the problems will not go away, in fact the PCI DSS regulations are forcing companies to address the issue of password management Often times, companies do not realize the extent to which they are left vulnerable should someone unlawfully gain access to these passwords. Time and time again, organization make headlines around the world because they have been comprised, often time due to inadequate controls to prevent access to  sensitive data. Recent examples of  of ineffective password management include:

• Shared passwords among employees resulting in the inability to track who is accessing data.
• Full access granted to employees no matter their authority level, which exposes company data to many individuals who have no authority to see it.
• ‘Secure’ passwords being kept track of on a public excel spreadsheet in a common directory, accessible by any number of people who see the file.
• Contractors given access to systems, and returning several years later, being able to access all the same systems

Although the PCI DSS regulations are very clear, and despite the immense repercussions should this information fall into the wrong hands, many organizations still choose to ignore these policies citing network outages and human error as business case reasons to not change these types of password

However mongering  password does not have to be an onerous task. Password Authority addresses the following key PCI DSS requirements, helping organizations to comply with their auditors requests, while seamlessly maintaining their daily business operations without:
Using Vendor-Supplied Default Passwords – With access to internet search engines, hackers and insiders can download manufacturers’ default passwords and gain access to company’s vital information. Retailers must make sure to change passwords upon program installation and update these passwords regularly.

Unsecured Access to Cardholder Data – Often, companies keep a master spreadsheet with all administration passwords, making it easy for unauthorized individuals to access cardholder data and take advantage of unsuspecting customers. They need to eliminate the use of insecure password storage in favor of a secure, managed password management solution.
Over-Assignment of Rights – Typical access control systems lend themselves to the over-assignment of rights in order to simplify individual administrator rights management. At a minimum there needs to be a separation of duties based on groups and roles to restrict access among employees. Not all IT staff members should have access to every application and database.

Lack of Traceability – Shared account usage eliminates the ability to trace activity to an individual. The assignment of unique IDs solves this issue but multiplies the number of accounts that must fall under management. The adoption of an automated password management approach solves this issue.

Leaving Access Unmonitored – Putting access controls in place is not enough – companies need to actively monitor access to make sure that no one is illegally gaining access to their cardholder data. Actively monitoring access is an appropriate control to help minimize the extent of a potential breach.

PCI DSS lists specific tactical objectives for IT departments of organizations that collect data relating to payment card holders. While much of the content of the standard is common sense, the standard itself, and the auditors who interpret and enforce it, are driving IT departments toward compliance. And it is the IT departments that endure the effort – and in some cases the pain – of finding and implementing the appropriate tools and techniques to achieve compliance cost-effectively and securely. Cloakware Password Authority was specifically designed to solve the security and efficiency challenges of managing elevated privileged and application-to-application passwords in ways that contribute to measurable and verifiable compliance.

In this age of mergers, acquisitions and layoffs, organizations need to be vigilant in protecting their customers data. These lapses in security are far too common and they make it easy for illicit access to occur. With consumer confidence low and new breaches hitting the front page on almost a daily basis, retail organizations must ensure that they are complying with PCI DSS regulations and taking steps to protect vital customer information. Cloakware’s Password Authority solution provides retailers with the critical protection they need to safeguard against unwanted access, protecting competitive and proprietary data against external and internal threats.