Industrial IoT Authors: Yeshim Deniz, Elizabeth White, Stackify Blog, SmartBear Blog, Liz McMillan

Blog Feed Post

The Grinch Who Stole Christmas for Target’s Brand and Customers


40 million card numbers stolen. Will your firm be the next target?

News broke last week that a major retailer was the victim of a massive theft of customer credit card data, in what is becoming an all too common cadence of data breaches.  Thieves made off with not just the credit card numbers, but also the CVV and expiration dates.  If you listen closely, you can probably hear the machines printing up counterfeit cards.  At this point there has been no precise confirmation of the attack vector used to collect the data – and the gory details may never be known, absent some government action and FOIA request.  But in light of what is likely one of the biggest data breaches in history it makes sense to reflect on some of the Payment Card Industry’s (PCI) best practices for protecting customer data.  PCI is more than just compliance but should be viewed as a catalyst to improve overall network defense and data protection.   In this first post we cover high-level PCI & PII practices that can make a difference- in subsequent posts we will decompose into more detail into how the Target Breach could have been prevented.

Protecting the Brand and the Business

The fallout for Target will surely be in the millions of dollars going beyond fines and reimbursements to consumers but to the damage done to the Target brand. Shoppers entrusted their confidence in Target’s information security practices. While Target is doing a good job of notifying customers of the steps they can take to protect their credit ratings, I have seen several shoppers thinking twice about using their credit cards while doing last-minute Christmas shopping — not just at Target but in other retailers and other industries. Undoubtedly customers are more wary than ever to give out credit card data unless they see that “good house keeping” seal of approval that a merchant has tested their POS and back end systems to the best of their ability. This mistrust will also spill over into e-commerce where consumers where already wary of giving out personal data.

PCI Tools for Credit Card Security

Just because a retailer is PCI compliant, that doesn’t mean they’re 100% secure.  But maintaining PCI compliance will reduce the likelihood of data theft – make it hard enough for an attacker and they will hopefully move on to a more vulnerable target.  Unfortunately the scale of compliance can be daunting for many organizations.  Considering the size of last week’s theft – some 40 million account numbers compromised – it’s clear that high-capacity, high-volume solutions are needed.  Many existing solutions haven’t kept pace with rate of technology changes, leading to implementers being overwhelmed attempting to rip and replace as they move more of their businesses online.

cash register

Remediation for legacy technologies can be challenging

There are six milestones in the Prioritized Approach to Pursue PCI DSS Compliance.  These are necessary but not sufficient for security.  Looking at these milestones, it’s clear that the Gateway Pattern can help a retailer (or anyone processing payment card or any other sensitive data) achieve compliance.  Furthermore, a gateway can allow faster remediation of legacy systems and applications because it can be inserted into the application stack without significant modification to these existing applications.  When new best practices are identified, they can be implemented quickly as well, without being mired in the bureaucracy and expense of custom implementations.  This is essential as companies are moving to the cloud for part or all of their transactions.  Here are some pointers on how a service gateway can shorten the path to PCI DSS compliance:

  • First, remove (i.e. redact) sensitive authentication data and limit data retention.  Thieves can’t steal what isn’t there.  Card verification numbers, PINs, and magstripe data tracks are not to be stored, as those will enable unauthorized use in more locations via card not present and ATM use.  With the increasing dependence on web services for transmitting data across systems and providers, the gateway pattern can help fulfill this requirement by redacting internal fields within a data object (e.g. JSON or XML), ensuring that it isn’t persisted or passed downstream to any application that doesn’t require it.
  • Second, protect the perimeter, internal, and wireless networks.  This becomes much more challenging in today’s distributed environments.  Many payment processing systems use private networks and firewalls to prevent unauthorized access.  However, card readers and cash registers are by necessity at the edge, publicly accessible – once a device inside the trusted network is compromised, it can be leveraged to gain additional access.  Going a step further, application-specific firewalls or gateways can provide additional network security, which feeds into the next requirement -
  • Third, secure payment card applications.  Application level security creates an additional internal perimeter to protect against larger-scale data breaches.  An application-specific firewall or gateway can provide an additional layer of security that protects against both external and internal attacks.  A content attack prevention policy, for example, can limit the spread of an attack that comes from a single compromised system.  By monitoring inbound traffic — even from trusted systems — a gateway can help to prevent a content attack such as a code injection masquerading as a valid call from a compromised payment system to a back-end web service or API.
  • Fourth, monitor and control access to your systems.  Entire books can (and have) been written on this topic, but I’ll highlight a few key benefits of a gateway pattern.  First, a multi-tenant gateway allows an organization to separate responsibilities by job function, meaning that a single person doesn’t need to be granted administrative access to every service.  Additional logging capabilities provided by the gateway can aid in early detection of malicious activity, alerting to suspicious traffic or other patterns that warrant attention.  The gateway can also securely sign the logs to ensure that they haven’t been tampered with.
  • Fifth, protect stored cardholder data.  This goes deeper than simply encrypting the volume where the data is stored.  With the move to cloud storage, data is stored in numerous locations – in replicas and application caches in addition to primary storage.  Best practices suggest using tokenization or record-level encryption to protect cardholder data.  For the credit card numbers themselves, tokenization provides an added benefit of a secure central vault that contains the mapping between card numbers and tokens that can safely be passed between applications.  Randomized tokens have no mathematical relationship to the original cardholder data, so systems that only access tokens are effectively removed from audit scope.  This means that the addition of the gateway layer actually reduces audit complexity and cost!
  • Finally, finalize remaining compliance efforts and ensure that controls are in place, including ongoing verification and maintenance of compliance posture.  This is where the gateway pattern (particularly when it includes tokenization) really shines — by attesting that downstream systems and services never touch cardholder data, the retailer can dramatically reduce the scope of work to be done.  Audit and verification costs time and money (best practices include using an outside specialist), so reduction in scope means less complexity and therefore much less cost.  In addition to the insurance against potential costs from a data breach, scope reduction can save millions of actual dollars in audit.


Thieves are getting savvy with their attempts to gather cardholder data on all fronts.  Attacks on retailers and banks, while difficult to pull off, present potentially enormous return on investment.  If successful, they also put a tremendous liability on any organization that doesn’t adequately protect their data.  Maintaining customer trust and brand reputation means being a good custodian of data – not just credit cards, but also names, email addresses, and any other personal information.  Gaining and maintaining PCI compliance is a good first step in protecting customer data, and with it the corporate brand.  Using best practices and tools to do so can accelerate the compliance process and reduce the overall cost of staying compliant.  A couple of resources that can help take the next step in using tokenization for PCI compliance:  a Tokenization Buyer’s Guide, and a QSA Security Assessor’s guide that explains how using a gateway for tokenization helps to remove systems from audit scope.

The post The Grinch Who Stole Christmas for Target’s Brand and Customers appeared first on Application Security.

Read the original blog entry...

More Stories By Application Security

This blog references our expert posts on application and web services security.

@ThingsExpo Stories
The standardization of container runtimes and images has sparked the creation of an almost overwhelming number of new open source projects that build on and otherwise work with these specifications. Of course, there's Kubernetes, which orchestrates and manages collections of containers. It was one of the first and best-known examples of projects that make containers truly useful for production use. However, more recently, the container ecosystem has truly exploded. A service mesh like Istio addr...
Predicting the future has never been more challenging - not because of the lack of data but because of the flood of ungoverned and risk laden information. Microsoft states that 2.5 exabytes of data are created every day. Expectations and reliance on data are being pushed to the limits, as demands around hybrid options continue to grow.
Poor data quality and analytics drive down business value. In fact, Gartner estimated that the average financial impact of poor data quality on organizations is $9.7 million per year. But bad data is much more than a cost center. By eroding trust in information, analytics and the business decisions based on these, it is a serious impediment to digital transformation.
Business professionals no longer wonder if they'll migrate to the cloud; it's now a matter of when. The cloud environment has proved to be a major force in transitioning to an agile business model that enables quick decisions and fast implementation that solidify customer relationships. And when the cloud is combined with the power of cognitive computing, it drives innovation and transformation that achieves astounding competitive advantage.
As IoT continues to increase momentum, so does the associated risk. Secure Device Lifecycle Management (DLM) is ranked as one of the most important technology areas of IoT. Driving this trend is the realization that secure support for IoT devices provides companies the ability to deliver high-quality, reliable, secure offerings faster, create new revenue streams, and reduce support costs, all while building a competitive advantage in their markets. In this session, we will use customer use cases...
Digital Transformation: Preparing Cloud & IoT Security for the Age of Artificial Intelligence. As automation and artificial intelligence (AI) power solution development and delivery, many businesses need to build backend cloud capabilities. Well-poised organizations, marketing smart devices with AI and BlockChain capabilities prepare to refine compliance and regulatory capabilities in 2018. Volumes of health, financial, technical and privacy data, along with tightening compliance requirements by...
Andrew Keys is Co-Founder of ConsenSys Enterprise. He comes to ConsenSys Enterprise with capital markets, technology and entrepreneurial experience. Previously, he worked for UBS investment bank in equities analysis. Later, he was responsible for the creation and distribution of life settlement products to hedge funds and investment banks. After, he co-founded a revenue cycle management company where he learned about Bitcoin and eventually Ethereal. Andrew's role at ConsenSys Enterprise is a mul...
The best way to leverage your Cloud Expo presence as a sponsor and exhibitor is to plan your news announcements around our events. The press covering Cloud Expo and @ThingsExpo will have access to these releases and will amplify your news announcements. More than two dozen Cloud companies either set deals at our shows or have announced their mergers and acquisitions at Cloud Expo. Product announcements during our show provide your company with the most reach through our targeted audiences.
DevOpsSummit New York 2018, colocated with CloudEXPO | DXWorldEXPO New York 2018 will be held November 11-13, 2018, in New York City. Digital Transformation (DX) is a major focus with the introduction of DXWorldEXPO within the program. Successful transformation requires a laser focus on being data-driven and on using all the tools available that enable transformation if they plan to survive over the long term. A total of 88% of Fortune 500 companies from a generation ago are now out of bus...
With 10 simultaneous tracks, keynotes, general sessions and targeted breakout classes, @CloudEXPO and DXWorldEXPO are two of the most important technology events of the year. Since its launch over eight years ago, @CloudEXPO and DXWorldEXPO have presented a rock star faculty as well as showcased hundreds of sponsors and exhibitors! In this blog post, we provide 7 tips on how, as part of our world-class faculty, you can deliver one of the most popular sessions at our events. But before reading...
DXWordEXPO New York 2018, colocated with CloudEXPO New York 2018 will be held November 11-13, 2018, in New York City and will bring together Cloud Computing, FinTech and Blockchain, Digital Transformation, Big Data, Internet of Things, DevOps, AI, Machine Learning and WebRTC to one location.
DXWorldEXPO LLC announced today that "Miami Blockchain Event by FinTechEXPO" has announced that its Call for Papers is now open. The two-day event will present 20 top Blockchain experts. All speaking inquiries which covers the following information can be submitted by email to [email protected] Financial enterprises in New York City, London, Singapore, and other world financial capitals are embracing a new generation of smart, automated FinTech that eliminates many cumbersome, slow, and expe...
DXWorldEXPO | CloudEXPO are the world's most influential, independent events where Cloud Computing was coined and where technology buyers and vendors meet to experience and discuss the big picture of Digital Transformation and all of the strategies, tactics, and tools they need to realize their goals. Sponsors of DXWorldEXPO | CloudEXPO benefit from unmatched branding, profile building and lead generation opportunities.
DXWorldEXPO LLC announced today that ICOHOLDER named "Media Sponsor" of Miami Blockchain Event by FinTechEXPO. ICOHOLDER give you detailed information and help the community to invest in the trusty projects. Miami Blockchain Event by FinTechEXPO has opened its Call for Papers. The two-day event will present 20 top Blockchain experts. All speaking inquiries which covers the following information can be submitted by email to [email protected] Miami Blockchain Event by FinTechEXPO also offers s...
With tough new regulations coming to Europe on data privacy in May 2018, Calligo will explain why in reality the effect is global and transforms how you consider critical data. EU GDPR fundamentally rewrites the rules for cloud, Big Data and IoT. In his session at 21st Cloud Expo, Adam Ryan, Vice President and General Manager EMEA at Calligo, examined the regulations and provided insight on how it affects technology, challenges the established rules and will usher in new levels of diligence arou...
Dion Hinchcliffe is an internationally recognized digital expert, bestselling book author, frequent keynote speaker, analyst, futurist, and transformation expert based in Washington, DC. He is currently Chief Strategy Officer at the industry-leading digital strategy and online community solutions firm, 7Summits.
Digital Transformation and Disruption, Amazon Style - What You Can Learn. Chris Kocher is a co-founder of Grey Heron, a management and strategic marketing consulting firm. He has 25+ years in both strategic and hands-on operating experience helping executives and investors build revenues and shareholder value. He has consulted with over 130 companies on innovating with new business models, product strategies and monetization. Chris has held management positions at HP and Symantec in addition to ...
Cloud-enabled transformation has evolved from cost saving measure to business innovation strategy -- one that combines the cloud with cognitive capabilities to drive market disruption. Learn how you can achieve the insight and agility you need to gain a competitive advantage. Industry-acclaimed CTO and cloud expert, Shankar Kalyana presents. Only the most exceptional IBMers are appointed with the rare distinction of IBM Fellow, the highest technical honor in the company. Shankar has also receive...
Enterprises have taken advantage of IoT to achieve important revenue and cost advantages. What is less apparent is how incumbent enterprises operating at scale have, following success with IoT, built analytic, operations management and software development capabilities - ranging from autonomous vehicles to manageable robotics installations. They have embraced these capabilities as if they were Silicon Valley startups.
Cloud Expo | DXWorld Expo have announced the conference tracks for Cloud Expo 2018. Cloud Expo will be held June 5-7, 2018, at the Javits Center in New York City, and November 6-8, 2018, at the Santa Clara Convention Center, Santa Clara, CA. Digital Transformation (DX) is a major focus with the introduction of DX Expo within the program. Successful transformation requires a laser focus on being data-driven and on using all the tools available that enable transformation if they plan to survive ov...