Hacked: Is Your Customer Card Data Safe From a Breach?

Mid-December security breaches affected both Neiman Marcus and Target, with Target’s affecting more than 40 million customer credit and debit cards and more than 70 million customers’ personally identifiable information. Incidents like these pose a significant threat to a company’s reputation, and they highlight the importance of not only maintaining security and controls over customer card data but also staying compliant with the Payment Card Industry Data Security Standard (PCI DSS) issued by the PCI Security Standards Council.

According to Target, the credit and debit card breach occurred from November 27 through December 15—some of the busiest days of the holiday shopping season, including Black Friday. Although the extent of the Neiman Marcus breach is not yet known, a forensics firm confirmed that the upscale retailer was the victim of a possible criminal cybersecurity intrusion and that some customers’ credit and debit cards may have been compromised.

Target has said that the database the attackers accessed also included details on customers who had shopped at Target before November 27. The stolen information includes names, mailing addresses, phone numbers, and e-mail addresses. This portion of the data breach further exposes those customers to a greater risk of identity theft. There’s also a risk that thieves will try to use the information to create new accounts in customers’ names.

Stolen credit and debit card accounts have flooded the black market in the weeks following the Target breach, selling in batches of one million cards for anywhere from $20 to more than $100 per card.

Depending on the volume of cardholder transactions and the nature of your card services, your organization and its service providers may need to comply with the PCI DSS, which is designed to satisfy a variety of security goals and allow organizations to report on their compliance status on an annual basis. The PCI DSS is composed of six domains, or tenets, as follows:

1. Build and maintain a secure network.
2. Protect cardholder data.
3. Maintain a vulnerability management program.
4. Implement strong access control measures.
5. Regularly monitor and test the network.
6. Maintain an information security policy.

Complying with these requirements is basic but not bulletproof in securing credit card data, as evidenced by the breaches of the last few years. In many of the breaches, organizations underwent a PCI examination and were found to be in compliance with the PCI DSS. Unfortunately, however, most entities aren’t compliant at the time of an attack.

The key to complying with PCI DSS is twofold: First, assess your business strategies and controls with security in mind; second, facilitate ongoing employee training on security concerns. Your CIOMA Moss Adams representative can help you evaluate your PCI DSS compliance and develop a strategy for data security. For more information please contact:

Mike Boldt, CPA
Partner
916-503-8150
fuel@mossadams.com