As details filter out about the Home Depot hack (and many, many more data breaches), you can't help but ask: How did this happen — especially when the company was supposed to adhere to specific safety regulations or else lose its capability to process credit card transactions?
According to The New York Times, Home Depot's flawed security system allowed customer information to be stolen for months, unnoticed. These flaws include using outdated Symantec antivirus software from 2007, not continuously monitoring the network for suspicious behavior, and performing vulnerability scans irregularly and at only a small number of stores.
This shouldn't have happened happen. Home Depot, like any merchant that accepts credit cards, must comply with security standards set by the Payment Card Industry Security Standards Council. Formed in 2006, this group of credit card issuers sets minimum standards for companies that accept credit cards.
"The threat landscape is constantly evolving, and PCI SSC expects security standards to do the same," Stephen W. Orfei, GM of PCI SSC, said in a statement. "Recent attacks are concerning, but we are confident that, in partnership with our community of experts, we are keeping our standards and guidance sharply focused on securing payment card data globally."
PCI Sets 'Baseline' Security Standards
In theory, PCI is good for retailers. Security is expensive, but PCI sets a minimum standard that everyone must adhere to, discouraging competitors from cutting corners to maximize profits.
"PCI standards provide a strong baseline protection and should be part of any risk-based and layered approach to security," Orfei says, adding that version 3.0 of the PCI Data Security Standard addresses "how to make security 'business as usual,' what to consider when working with third parties and how to use layers of defense to protect against malware."
That said, PCI standards aren't perfect against preventing fraud. Mike Lloyd, CTO of RedSeal Networks, a security risk management solutions firm, equates it to signs in bathrooms that tell employees they must wash their hands before returning to work.
"It's not the be all and end all of perfect medical care. Those signs aren't perfect hygiene, but it's setting a basic bar, and if everybody follows that, we're all better off," he says. In the same way, PCI standards set that minimum bar: "They require your competitors to come up to the same base level."
If your competitors follow those minimums, that is. Based on information Vinny Troia has seen about the Home Depot hack, he doesn't think the retailer should have passed its assessment, as the company allegedly wasn't checking its logs daily.
"Any time that data was being collected and siphoned off and sent somewhere else, that would have been captured in the security logs," says Troia, CEO of Night Lion Security, an information security consulting firm. "If you have the equivalent of a leaky faucet, and you're looking at it every day, you're going to notice it. Maybe you look at it once a week. If things get really bad, maybe once a month. But Home Depot dragged it on for five months before they figured it out."
Sign up for CIO Asia eNewsletters.