Dave Taylor has another guest post on StoreFrontBackTalk, this one alluding to a lack of audit resources to mind the storefront (like Minding the Gap!).
Store front security continues to be an issue for retailers even outside of PCI. Take physical security for example. Realize that a major retailer’s data center tends to be a hardened facility that is not easily accessed (with the exception of a few notable ones that are for another post). There are security guards, badged access, and sometimes even man traps. Now visit that same retailer’s store front. You might find accessible Ethernet jacks, or worse, a system room door that is unlocked or left wide open. Walk into there with an official ID and you might just jack in to that same VLAN or security level as if you jumped through all the hoops at the data center!
The point that Dave makes is the same one I’ll make here. There are two things that will greatly mitigate the risks associated with weak physical security in the stores.
- Remove all card data from the store (How about most of it? Or just unencrypted data?)
- Deploy end-to-end encryption from the POS Terminal to the data center.
Companies that treat their store networks as trusted are fooling themselves. Those networks are either already hacked, or could easily be hacked (even if you ignored the obvious insider threat!). End to end encryption is a best practice for PCI (and in my opinion, it should stay that way for now), but it is definitely an example of layered security on top of compliance that will greatly increase a company’s resistance to a breach.
Possibly Related Posts:
- Equifax is only half the problem, your SSN needs a redesign!
- Orfei Steps Down
- Two reports, many questions
- The Beginning of the End, No PCI DSS 4.0 in 2016
- We Should Question Bold Claims that PCI Is “Highly Effective”