Over 90% of US Retailers Fail PCI DSS

Haythem Elmir

Security in the retail industry has significantly worsened over the past year, to the point that over 90% of domains analyzed recently were found to be non-compliant with PCI DSS.

Security Scorecard analyzed 1444 domains in the US retail industry from October 2017 to March 2018, discovering that although cyber-criminals had become increasingly sophisticated, IT security departments had largely failed to keep pace.

Application security was a particular challenge, with retail second only to the entertainment sector in its poor performance.

When it came to social engineering, often the first stage of an attack or data breach in the form of phishing emails, the sector performed worst out of the 18 appraised.

In 91% of retail domains analyzed, the business failed four or more requirements of the key PCI DSS standard, with requirement six — dealing with maintaining secure systems and applications — particularly troublesome for 98%.

This includes requirement 6.2, which mandates organizations keep up-to-date with security patches: applying critical ones within one month and others within three. Some 91% failed this requirement.

“A reason many retailers lack compliance with Requirement 6.2 is that the increased number of vendors makes mapping updates more time-consuming,” the report claimed. “A retailer that uses different vendors for cloud storage, operating systems, data backup, mPOS, and POS may have a hard time following every update for each of these. In addition, some updates may be critical security updates while others focus on better usability.”

As part of the PCI DSS requirement, organizations must also understand data flows and the systems, servers, and networks that need to be protected: another area of weakness for retailers, according to the report.

“As part of the process, organizations need to build firewall and router rules that restrict inbound and outbound traffic,” it explained. “These restrictions need to specify all ‘untrusted’ networks and hosts, especially wireless ones. As part of this restriction, no public access can occur between the internet and system components in the Cardholder Data Environment (CDE).”

The challenge is ensuring retailers move from “point-in-time” compliance to continuous efforts, SecurityScorecard argued.


To read the original article:

Laisser un commentaire

Next Post

Cloudflare Ends CAPTCHAs for Tor Users While Blocking Bad Actors

Cloudflare announces today its own onion service, which should make anonymous access easier to websites in its network, and reduce the malicious traffic aimed at them. Using the Tor Browser to visit websites anonymously can be pretty frustrating for the regular user, who has to prove their human condition by […]