Lax attitude to PCI, security costing businesses: Investigator

Hackers shouldn't be the first to test Web defences, says computer forensics expert

Merchants who view security and payment card industry (PCI) compliance as an extra cost will be rueing the decision when hackers hoping to swipe credit card data strike, believes one industry specialist.

PCI data security standards were created by Visa, MasterCard and other major credit card brands, and is administered by the PCI Security Standards Council.

All companies that accept payment cards are required to implement the 12 high-level security controls prescribed by the standard in order to help mitigate credit card fraud. Larger companies face significantly tougher compliance requirements than smaller firms.

Klein&Co director, Nick Klein, who works with Vectra on PCI breaches told Computerworld Australia that Vectra had investigated 15 PCI breaches in 2011 alone. Last year, 35 breaches were reportedfrom customers in Australia and New Zealand.

The hackers, all based overseas and compromising server boxes in one country to use as a channel attack, were quick to find weak spots in websites and extract data, such as credit card information.

Klein said he was surprised that more companies did not test their own Web defences first.

"We talk to merchants and they give us various reasons, but the attackers who break into your site should not have been the first person who ever tested your security," he said.

Klein also warned that attackers were changing tactics from point of sale (POS) manipulation to focus solely on e-commerce, as it was relatively easy to commit an attack and yield card details.

He advised that companies could improve PCI compliance by not holding card data on site.

"If companies don't store data on their systems and use third-party processing, that hugely reduces your risk," Klein said.

"Fundamentally, if you don't have a list of data to steal, than how much of a target are you?"

Simple security measures such as keeping operating systems updated with security patches was "critical", and doing the same for all applications systems was key.

"You don't need a big complicated, expensive infrastructure to be well secured," Klein said.

"In an environment where easy targets are being compromised, there are a lot of things you can do which are cheap or even free that would make you far less of a target than others out there."

Klein added that the organisation's research turned up different results to overseas reports from companies such as Verizon.

"The feedback we get [from customers] about those reports is that those ones tend to aggregate what is happening overseas," he said.

"In fact, a lot of the data is based towards the US market. We know from our experience that what is happening in Australia is slightly different."

Klein is scheduled to present at the upcoming security conference AusCERT in May.

IDG Communications is an official media partner for AusCERT 2011.

Got a security tip-off? Contact Hamish Barwick at hamish_barwick at

Follow Hamish Barwick on Twitter: @HamishBarwick

Follow Computerworld Australia on Twitter: @ComputerworldAU

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags credit cardsPCI complianceKlein&Co Computer Forensics

More about CERT Australiaf2IDGIDG CommunicationsIDG CommunicationsIDG CommunicationsVectra CorporationVerizonVerizonVisa

Show Comments