10 Data Security Lessons of 2015
August 4, 2015 7:30 AM
Protecting payment card data is a never-ending struggle, and the fraudsters are only getting more creative. So far this year several incidents and studies have demonstrated the evolving nature of cybercrime.
Data Doesn't Disappear
Ashley Madison, a dating site for cheaters, made a promise it couldn't keep: It said that it could delete users' data without a trace (for a fee) if they choose to leave the site. But its breach proved the data was still out there, and this is a problem other companies face with containing payment data as well.
Crime Never Stops
After a massive data breach in 2008 prompted Heartland Payment Systems to scour its systems for any previously overlooked vulnerabilities, the payment processor still wasn't able to shore up its defenses completely. This year, it dealt with a different kind of breach a physical burglary , in which four computers were stolen from a payroll office. The machines might have contained personal data of 2,200 people.
Fingerprints Don't Do Enough
Apple popularized the use of fingerprint authentication for mobile devices and payments, but even its Touch ID system isn't foolproof. Phones protected with Touch ID can still be unlocked with a PIN , so Apple plans to raise the minimum PIN length to six characters when it updates iOS this year.
A Small Breach Is a Big Deal
There's no such thing anymore as a breach that is too small to report, which is why Vermont's Attorney General stepped in when the 17 victims of a breach at Embassy Suites did not receive notification of the incident within the timeframe mandated by the state.
Glitches Make Headlines
The so-called glitchfest, a series of tech outages affecting an airline, a newspaper and the New York Stock Exchange, raised red flags throughout the financial services industry. Though the problems were chalked up to coincidence, regulators still took notice and reached out to banks to check in. Those banks had to make sure they had a plan in place in case something nefarious was going on.
PCI Compliance Is Hard to Hold
Staying compliant with the Payment Card Industry data security standard is tough work; Verizon's 2015 report on PCI trends found that less than a third of companies overall are found to be fully PCI-compliant less than a year after a successful validation. Richard Moulds, vice president of product strategy at Thales e-Security, put it bluntly: "Companies fall out of compliance almost instantly upon achieving it."
Mind the Basics
Even as the payments industry pushes the addition of EMV and tokenization technology, many companies are still failing to cover the basics, Visa's risk chief Ellen Richey says. For example, many professionals are not changing the default passwords on sensitive systems, she warns.
Physical Security for Digital Systems
Just because a system is digital doesn't mean that firewalls and encryption are the best tools to defend it. "You could have the most secure bank in the world with locked doors, three-foot thick fences and gates that come down at night, but they still have an alarm inside of it," said Javelin analyst Al Pascual. There are software-based alarm systems that can alert a company when a cyber-intruder inevitably gets through its defenses.
Consumers Can Help
With mobile banking apps, consumers can manage any aspect of their accounts on the go. They can limit their card's spending to certain merchant categories or temporarily shut the card off entirely if it gets misplaced. If a bank wanted to, it could even use these tools to place the liability for fraud on the consumer thus giving the consumer an incentive to use these anti-fraud tools proactively.
But Don't Count on Them
Even with consumers holding new anti-fraud capabilities in their hands, they won't have the expertise of a security professional. Consumers make bad assumptions about their security, which is why phishing scams still work.
