68% of I.T. executives at U.S. and U.K. organizations who say PCI compliance is the backbone of their security program say that they’re confident their security controls can detect rogue applications, such as those used to steal data. But the results don’t square with reality, security experts say.
Many retailers fail to grasp the threats they face, says Karl Sigler, manager of threat intelligence at security firm Trustwave.
For instance, 68% of I.T. executives at retail and financial services organizations in the United States and the United Kingdom who say PCI compliance is the backbone of their security program say that they’re confident their security controls can detect rogue applications, such as those used to steal data, according to a survey by research firms Dimensional Research and Atomic Research of U.S. and U.K. retail and financial services organizations commissioned by security software vendor Tripwire Inc.
Moreover, 89% of those respondents say they would be able to detect a breach within three days, and 64% say they are very confident they could detect unauthorized network shares, which is how the criminals used a Target Corp. vendor’s security credentials to steal records from up to 110 million consumers.
Those results don’t square with reality, security experts contend. 71% of breached companies don’t detect the breach themselves, according to a recent Trustwave report that also found the median number of days between the initial intrusion and detection last year was 87 days. Even once the breach was detected, the median number of days before it was contained was seven days.
The Tripwire findings show that not all merchants understand that while PCI compliance protects cardholder data, a PCI-compliant retailer may still be at risk.
“Many businesses look at PCI compliance as an end-all, be-all to security,” Sigler says. “But it’s just a baseline for security.”
Meanwhile, criminals understand that PCI compliance doesn’t mean a retailer can’t be hit, adds Chris Novak, managing partner of Verizon’s RISK team, the communications provider’s computer forensics practice. “No hacker is going to say, ‘That retailer is PCI compliant so I’ll move on,’” he says.
In fact, Target’s breach shows that PCI compliance doesn’t remove all vulnerabilities and that criminals are constantly on the lookout for a way into merchants’ systems.
“Security people have to run around constantly checking every window and door to make sure none are unlocked and open,” Novak says. “Because if they miss one, [criminals] will find it.”
Read more about data security in the September cover story of Internet Retailer magazine. Click here to sign up for a free print or digital subscription to Internet Retailer magazine.
August 21, 2014, 12:34 PM By Zak Stambor Managing Editor