May 24, 2024

Why is PCI Compliance Important?

Jose Alvarado

Author
Jose Alvarado

Table of Contents

What has happened that we need to prevent?
Heartland Cyberattack
Equifax Cyberattack
How does PCI Compliance Help Organizations?
Providing Assurance of Compliance
Reputation
Preventing Cyber Attacks
References.

What has happened that we need to prevent?

Heartland Cyberattack

January 2008 Russia cyber threat actors compromised Heartlands website that lead to the compromise of approximately 130 million credit card numbers. What did the Russia cyber threat actors do that lead to the compromise of Heartlands website? It was a SQL injection that could have been identified during an external vulnerability assessment or an external penetration test. Full card data (credit card numbers, expiration dates and card holder names) were exposed during this hack. What is interesting is Heartland’s response, since Heartland’s customers were no longer confident in it’s security of their credit card information, Heartland invested heavily in their cybersecurity program and issued a warranty on their services in hopes to retain their customer base.

Equifax Cyberattack

September 2017 Equifax was hacked and impacted over 100 million people. It is expected that up to 40% of the American population was effected in some fashion. What was stolen? Well credit card information, date of birth’s, social security numbers and driver license information. One would think “Why is this even important”, with the information stolen in the Equifax hack, a cyber threat actor can use that information to sell to others for profit, or they can use the information stolen to steal millions of identities generating countless events of fraud. What cause this compromise, well it was a serious of security vulnerabilities that Equifax knew about and didn’t perform action. The first was a external vulnerability that wasn’t patched, that lead to hackers gaining access to their internal systems, from there the cyber threat actors were able to continuously compromise the various layers of defenses Equifax had, eventually leading to a complete data leak


How does PCI Compliance Help Organizations?

Providing Assurance of Compliance

Acquirers and Payment Brands (Visa, Discover, etc) require organizations who process, transmit or store credit card data to be compliant with Payment Card Industry Data Security Standard (PCI DSS). [JA1] Depending on the amount of credit card data processed, transmitted, or stored will require a certain level of PCI compliance. This assurance reduces the risk of a cyber-attack for the acquirer and payment brands thus providing a reasonable assurance for their customers that their credit card data is secured.

Reputation

When an organization is either involved in the financial industry or works closely with the financial industry, they would want to increase their customer and partner reputation. Building their cybersecurity program aligning with PCI DSS ensuring proper security in implemented when deal with credit card data.

Preventing Cyberattacks

Any organization aligning with PCI DSS will reduce the likelihood of cyber-attacks because the requirements really focus on the basic cybersecurity best practices. An example of this, if you have a external website, how often do you check for vulnerabilities and how often do you patch those vulnerabilities? That is a requirement in PCI DSS, ensuring you scan and patch vulnerabilities appropriate to their risk and impact level. That control would have helped Heartland and Equifax.


References

Upguard

https://www.upguard.com/blog/biggest-data-breaches-financial-services

Leave a Reply

Your email address will not be published. Required fields are marked *