Hackers that attacked point-of-sale terminals at Target stores captured personal data of more than 70 million Target shoppers during the recent holiday season; and, Target was not the only retailer attacked. Nieman Marcus also appears to have been subject to a similar siege. IntelCrawler, a cyber intelligence firm, recently suggested that there are several other U.S. merchants currently plagued by similar malicious software.
How Does This Affect Us in the Tolling Industry?
AET systems require extensive payment card processing. Since tolling is considered politically incorrect by some, toll operations may be at greater risk compared to other, less visible targets. Therefore, it may not be a matter of if the toll industry will be subject to an attack, but when.
The direct cost of a data breach, estimated to be over $3 Billion to Target, could be significant. However, the direct cost may be small compared to the loss in public confidence. A major breach at one toll facility could quickly cascade and become a public relations nightmare for the entire industry.
Industry Security Standards
All major credit card processors must meet data security standards established by the Payment Card Industry Security Standards Council. The Payment Card Industry Data Security Standard (PCI DSS) was created to increase controls on cardholder data to reduce credit card fraud. Compliance is verified annually. Large volume processors are required to have an external Qualified Security Assessor review their systems and operations and prepare a Report on Compliance, which may include a list of improvements that must be implemented to minimize the risks associated with a breach in security.
How Could A Data Security Breach Happen?
PCI DSS establish a baseline for data security requirements. Thus an operation can be PCI DSS compliant and still not be secure. PCI DSS compliance comprises a series of high-level concepts that allow operators the flexibility to implement the most appropriate security controls for their environment that meet the intent of the standards. Also, PCI DSS verification is a process that occurs at a point in time. It is the responsibility of the operator to sustain compliance throughout the year. Rapidly changing technology and an increasingly aggressive group of people intent on defrauding the system make this an ever increasing challenge.
What Should We Do?
We should be aggressively managing data security issues. In addition to meeting minimum PCI DSS standards, we should strive to achieve higher security levels than those mandated, including:
• conducting an immediate review of all operating policies and procedures and correcting any short-falls identified
• retaining a data security expert to stress test current systems and operations
• upgrading systems and modifying operations policies and procedures where recommended
• verifying that upgrades and modifications were successful, and
• periodically (at least bi-annually) reviewing/stressing our systems and operations to ensure that data security requirements are being sustained.
Other suggestions on how best to manage this challenge are welcome.
© 2014 The eTrans Group, Inc.