European retail data breaches largely hidden, SC Congress told

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.computerweekly.com/news/2240221833/European-retail-data-breaches-largely-hidden-SC-Congress-told

The growing number of data breaches at US retailers is largely down to
mandatory breach disclosure laws, according to Tim Holman, president of
ISSA-UK and chief executive at security consultancy 2-sec.

“There are a huge number of breaches and payment card-related frauds, but
there is no law yet requiring companies to disclose them,” he told the SC
Congress in London.

“However, that picture will change if Europe introduces planned mandatory
breach notification legislation,” he said.

One of the biggest problems in the retail sector is that too many
organisations view the payment card industry data security standard (PCI
DSS) as a tick box exercise, said James McKinlay, head of information
security and PCI DSS subject matter expert at Atos Worldline UK and Ireland.

“PCI DSS is not used to drive and increase baseline security,” he said.

McKinlay believes the standard is aimed at little more than helping
retailers to establish a security baseline, and that merely achieving
compliance is no guarantee of security.

“There is so much more retailers could and should be doing beyond the
requirements of PCI DSS to reduce the risk of exposing payment card data,”
he said.

Retailers should use PCI DSS as a way of raising security awareness across
the organisation, improving data handling processes and ensuring
technological controls are up to date and working.

PCI DSS has come under criticism because US retailer Target and payment
processing firm Heartland both experienced breaches while being nominally
PCI DSS compliant.

But Holman defended the standard and PCI DSS qualified security assessors
(QSAs).

“Many of the PCI DSS control assessments are interview-based, so if
retailers are not answering QSA questions truthfully and not following
their advice and PCI guidelines, they will not be secure,” he said.

Holman agreed that evidence-based assessments would ensure a higher degree
of security, but said that would be too time consuming, especially for
larger organisations, and was therefore not practical.

Dave Whitelegg, senior information security and PCI consultant at Capita,
said the best way for retailers to reduce their risk of data loss is to
avoid holding payment card data as far as possible.

“The best approach is to find ways of outsourcing all payment processes so
that no payment card data is held or processed by the retailer.

“Alternatively, if payment card data cannot be avoided, ensure that it is
encrypted from end to end so that even if systems are breached, attackers
cannot use the data to commit fraud,” he said.

McKinley said retailers in general should also move away from focusing on
avoiding breaches alone and pay more attention to how well they can cope in
the event of a breach.

“Relatively few retailers are properly prepared for breaches and have
up-to-date breach and incident management plans in place,” he said.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!