“We're deeply sorry for the inconvenience and frustration this issue has caused our guests.” Those are the words prepared by the public relations staff for the 40 million Target customers impacted by the data breach announced in December 2013. Besides having their information stolen and sold on the underground market, many of those guests found themselves with banks, credit unions, and state benefit programs closing down their cards as a result of "recent fraudulent activity occurring on customer’s compromised cards.” Those cards have been or will be reissued and the customers will not be financially liable for losses but they still have had unnecessary hassle introduced into their holidays.

It has been widely speculated that the Target breach was the result of a computer virus that was introduced via a software update on every point of sale (POS) device. This is similar to what has been seen before; most recently in October 2013 where a variant of malware (malicious software or virus) assigned the moniker “Dexter” was identified as the culprit in a massive data breach affecting the South African fast-food industry. Like the Target breach, the South African breach cost local banks there tens of millions of rand (South African monetary unit) and is reported to be one of the worst breaches in that country’s history.

In both instances the culprit is reported to steal data through RAM scraping, a technique where the data is stolen from the memory inside the computer that manages real-time data keeping it accessible so that transactions can be quickly processed.

On January 19, 2014, Beth Belton of USA Today reported that the author of the virus used in the Target and Nieman Marcus attacks was likely written by a 17-year-old hacker from Russia. As first described in Hospitality Upgrade's Summer 2011 article, “Who’s That Knocking At My Computer”, the Russian cybercriminals dominate the threat landscape. Ms. Belton revealed that that the teenager identified as Sergey Taraspov sold his malware to dozens of cybercriminals for about $2,000.

With credit and debit card fraud growing more prevalent all the time (Nilson Report statistics put this type of fraud at $11.3 billion worldwide in 2012) the pressure on retailers to prevent these types of breaches will only increase.

Ensuring your organization is compliant with the Payment Card Industry (PCI) standards is an important step toward protecting yourself from these types of breaches. It is crucial however, to remember that good security will always lead to compliance, but compliance will not always lead to good security. As you review your compliance plan for PCI make sure your goal is more than just to be “minimally compliant.” The extra effort involved in implementing better security controls is well worth it when you consider the impact a breach could have on your business and more importantly your reputation.

As a result of the trends in the ways attacker breach credit card data the Payment Card Industry (PCI) has responded with improved and tougher standards. PCI Data Security Standards (DSS) 3.0, effective beginning January 2014 (although not mandatory until January 1, 2015) provides some new guidance related to Point of Sale (POS) Systems that is overdue. The new standards would have significantly lowered the risk of a breach of the type that occurred at Target and others.

The changes that impact POS systems fall into one of three categories, scoping, inspection of devices and anti-malware practices.

Historically organizations have been able to “scope out” much of their network (i.e., carve it out from being subject to the requirements of the standard) by putting their POS system on a separate network segment, i.e., implementing network segmentation. In this way, only the segment of the network on which the POS system resides is subject to the standards and the other network segments are not. The theory behind this is that vulnerabilities in the non-POS segment cannot impact the segment that contains the POS system.

PCI DSS 3.0 still allows you to use segmentation and scope out portionss of the network but now requires proof that the segmentation truly isolates the POS system from the rest of the network. The proof required is in the form of validation through testing that the segments are separate and that a vulnerability in the non-POS segment would not be able impact the segment containing the cardholder data. Typically a network penetration test is looked to provide this validation.

Another new requirement in PCI DSS 3.0 is “9.9 Protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution.” This requirement, which requires periodic inspections of POS devices, is considered a best practice under the new standard until June 15, 2015 when it becomes a requirement. This standard strengthens card present transactions (like those at the Target stores) by ensuring that terminals are evaluated on a regular basis to ensure they have not been compromised.

Lastly, the new standard addresses the need for increased vigilance on systems not commonly targeted for malware attacks. While the standard specifically calls out systems such as the iSeries or AS400s, devices with Apple or Mac OS’s would also fall into this category. This recognition that malware and viruses can be created to target any and all technologies is a key improvement to the standard and injects reality for those who think it can’t happen to me, because their system is not a common target for hackers.