In hindsight, many big-time security breaches appear as if they were bound to happen. Home Depot, for example, was following a number of poor practices before it suffered a major breach earlier this summer. According to an article in the New York Times, the hardware and home improvement giant was using antivirus software from 2007, wasn't continuously monitoring the network for suspicious behavior and its vulnerability scans were few and far between. In fact, only a handful of stores even received such service. These were all factors that led to the incident where over 50 million customers were likely compromised following months of fraudulent activity.
According to a recent CIO article, it never should have come to this. This is because Home Depot was allegedly, PCI compliant, meaning it followed best security practices and only used technology that met PCI standards. Now, these standards are very much the minimum requirements put in place that all retailers should adhere to. Jen Miller, the article's author, says they are in theory a good thing because they are constructed in a way that allows merchants to follow security best practices in a cost-effective manner. PCI compliant organizations can go above and beyond the low-end standards (and many do) as it is often necessary to keep up with the ever-growing complexities of cyber crime.
Stephen Orfei, GM of PCI SSC, released a statement following the Home Depot incident in which he acknowledged that PCI standards will likely have to adapt to a changing landscape.
The threat landscape is constantly evolving, and PCI SSC expects security standards to do the same," he said. "Recent attacks are concerning, but we are confident that, in partnership with our community of experts, we are keeping our standards and guidance sharply focused on securing payment card data globally."
Meanwhile, Vinny Troia, CEO of Night Lion Security, an information security consulting firm, says Home Depot should have never been compliant, regardless of how low the minimum standards are set. He says that organizations must at least monitor their logs on a daily basis, which based on the magnitude of the Home Depot breach, clearly didn't happen.
"Any time that data was being collected and siphoned off and sent somewhere else, that would have been captured in the security logs," he said. "If you have the equivalent of a leaky faucet, and you're looking at it every day, you're going to notice it. Maybe you look at it once a week. If things get really bad, maybe once a month. But Home Depot dragged it on for five months before they figured it out."
Regardless of whether Home Depot kept up with compliance standards or whether the standards simply aren't high enough, the fact remains that a credit card security breach is a very real problem and can happen to just about any organization, large or small. Even if a retailer is PCI compliant, said retailer can still fall victim to a data breach. But if they follow best practices and are cognizant of any suspicious activity they can go a long way towards alleviating any serious risk.