The joy of credit card audits
Mar. 28th, 2014 02:11 pm![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
thewayneBig merchants like Target have to get an annual audit that their IT systems are secure for processing credit cards. The level of audit varies, depending on whether or not they store credit card info internally. For example, Amazon stores your credit card so they have a (theoretically) more stringent audit.
Small merchants, like a mom & pop coffee house, don't normally get audited, they just send in a questionnaire to Visa/Mastercard.
The problem is, every merchant that has been hacked has passed the audits. In one case, they were being hacked WHILE BEING AUDITED. And it wasn't noticed.
The issue is that the auditors are not doing a really comprehensive job. They look for some things and miss others, like the merchant who was storing unencrypted credit card info for five years.
And aside from auditors not looking thoroughly and trying to do penetration tests, any configuration change or network change or replacing the firewall or router on an otherwise compliant and safe network can introduce a host of vulnerabilities.
IT security is a moving target, and there is no easy solution. Visa/MC forcing merchants and vendors to replace their equipment with chip and PIN systems by October 2015 is a step in the right direction, but it's going to be expensive and while transitioning, bring in a host of vulnerabilities all on their own.
http://www.wired.com/threatlevel/2014/03/trustwave-target-audit/
Small merchants, like a mom & pop coffee house, don't normally get audited, they just send in a questionnaire to Visa/Mastercard.
The problem is, every merchant that has been hacked has passed the audits. In one case, they were being hacked WHILE BEING AUDITED. And it wasn't noticed.
The issue is that the auditors are not doing a really comprehensive job. They look for some things and miss others, like the merchant who was storing unencrypted credit card info for five years.
And aside from auditors not looking thoroughly and trying to do penetration tests, any configuration change or network change or replacing the firewall or router on an otherwise compliant and safe network can introduce a host of vulnerabilities.
IT security is a moving target, and there is no easy solution. Visa/MC forcing merchants and vendors to replace their equipment with chip and PIN systems by October 2015 is a step in the right direction, but it's going to be expensive and while transitioning, bring in a host of vulnerabilities all on their own.
http://www.wired.com/threatlevel/2014/03/trustwave-target-audit/
