Having recently attended the PCI DSS Community Meeting organised by the PCI Security Standards Council, where data breaches were discussed we would like to highlight some payment breaches that took place in recent years, with some advice on how we can learn from them.
- Let’s start with the case of British Airways, who confirmed a breach of payment information of over 380,000 customers in 2018. The breach was successful due to modified scripts on payment forms that delivered payment information to an attacker-controlled server while maintaining their intended functionality to avoid detection. Malware is thought to have entered via the supply chain. The result was a huge fine, and of course a great deal of damage to BA’s reputation. Access to the full article, published by BBC news, can be found here.
Lesson learned: The University contracts numerous providers that are involved in the card payment process, and it is paramount that their level of compliance with PCI DSS is monitored on a regular basis.
- The second breach involves Dixons Carphone, an electronics retailer, who confirmed that 105,000 customers’ payment card details had been compromised in 2018, because they didn’t have chip-and-PIN protection in place and poor security measures were applied within the company. Access to the full article, published by BBC news, can be found here.
Lesson learned: The University uses terminals for handling customer present transactions. If these are not provided by the Finance Division, be sure to verify that the models/solutions you are using have been validated by the PCI Council. (This can be checked on the PCI DSS Council website).
- The third and final example, involves several Aldi stores in the United States. Cyber criminals placed a skimmer on top of the card terminals in checkout lines in 2018. When the card was swiped, the credit card skimmer stored card numbers and associated PINs, which hackers downloaded at a later stage.
Lesson learned: Departments that use PDQ terminals shall provide relevant training to staff, and ensure that they know how to recognize signs of tampering. Procedures shall be established to define regularity of tamper checks. (This may vary depending on the PDQ location and level risk that is associated with it).
The above incidents evidence that organisations can be exploited in many ways. Lack of PCI awareness and training, poor communication with third parties, and missing / weak due diligence processes are all common errors, but they can be mitigated by applying controls indicated in the Standard (PCI DSS).