PCI DSS Compliance (Payment Card Industry Data Security Standards) - those in the e-commerce, financial and retail industry know this means a lot of money, time and manpower. Many try to skirt around the issue and avoid investing in a PCI hosting partner that has been independently PCI audited and go for the cheaper guy. Why don’t you want to do that? Because you don’t want to suffer a data breach and the costly legislation, fees and reputation management that results.
And because the cheaper guy doesn’t even know what PCI compliance is, nor what technical or physical security requirements should be in place on his end to help you achieve compliance.
A few weeks ago, the FTC filed suit against Wyndham Worldwide, a major hotel chain including three subsidiaries, for the 600,000 credit cardholder data that was stolen in less than two years and in three different incidences. This resulted in more than $10.6 million in fraud loss, according to the FTC’s lawsuit. Not sure why it took two more subsequent data breaches than necessary to elicit a lawsuit, but three certainly calls for serious action.
[In the HIPAA compliance world of healthcare, subsequent data breaches would show a lack of ‘due diligence’ or ‘willful neglect,’ meaning the organization or business failed to prove they had the standard security in place to meet compliance. Or, if they contracted with a third party, they had failed to thoroughly vet their service provider for their ability to meet compliance. Although this list is HIPAA-specific, it can still be handy to apply to all data center providers for all types of compliance needs - read up on the top Five Questions to Ask Your HIPAA Hosting Provider].
Back to the Wyndham case – in all three incidences, hackers were the root cause of the data breaches. They had compromised the security of Wyndham’s data center located in Phoenix, Arizona, in which their corporate network and central reservation system is housed. According to the lawsuit, Wyndham failed to have a lot of standard, PCI security measures in place, both at their data center and at their chain of hotels. Here’s a list of what they were charged with (and what you should avoid):
- They failed to use firewalls between their property management systems, corporate network and the Internet.
- Their software at their hotels were misconfigured, resulting in unencrypted cardholder data.
- They failed to check that their hotels implemented information security policies and procedures before connecting local computer networks to the corporate network.
- They even failed to resolve known security vulnerabilities on their servers. For example, some of their servers used outdated systems without the ability to receive security updates or patches to resolve security vulnerabilities. Connected to their corporate network, these servers were a serious point of weakness and potential entry point for hackers.
- They left default user IDs/passwords on servers that were connected to their corporate network, which were easily found when searched online and allowed hackers access to their network.They also didn’t use complex or hard-to-guess passwords – for example, remote access to their property management system was achieved by using “micros” for both the user ID/password (Micros Systems, Inc. developed their system).
- They didn’t employ any security measures to detect and prevent unauthorized access to the corporate network (anything from an IDS (Intrusion Detection System) to a WAF (Web Application Firewall) or even daily logging and log review may have helped detect and prevent access).
- They also didn’t follow proper incident response procedures after their data breaches – including the failure to monitor their corporate network for malware that compromised their system in a previous incident.
- Finally, they even failed to limit third-party vendor access to the corporate network and property management systems by restricting specific IP addresses or granting temporary/limited access.
The actual case is a very interesting read (if you’re into reading lawsuits), as it details how the hackers got into the system in each incident. I listed all of their weak points as a way to educate you on how to avoid a data breach, and create a stronger case for partnering with a PCI hosting provider.
A PCI hosting provider knows certain things – like that the encryption of cardholder data, daily log review and WAFs are required to appropriately secure credit card information – plus, they know how to deploy this technology for you or refer you to a trusted partner. A managed hosting provider also knows that server operating systems need patch management and updates in order to keep up with the latest security vulnerabilities. And a PCI hosting provider knows they should not have access to any credit cardholder data stored on your servers.
To find out more about what a PCI compliant data center and hosting provider should entail, read our PCI Compliant Data Center white paper. This white paper explores the impact of the PCI DSS standard on data centers and server infrastructure, describes the architecture of a PCI compliant data center both technically and contractually, and outlines the benefits and risks of data center outsourcing, and vendor selection criteria.
Or use additional PCI resources below to learn about the standards, if you need/how to achieve compliance, and more:
FTC v. Wyndham Worldwide and Subsidiaries (PDF)