Another merchant to add to the ever-growing list of security breaches surrounding POS systems. Eddie Bauer reports their POS systems were breached at the software level. They discovered malware may have affected transactions in their retail stores from Jan 2 to July 17, 2016. They have since removed the malware.
Much like this article implies, maybe it’s time to think about a better security standard than the PCI-DSS protocols.
View the full article at www.eweek.com
Payment cards used at Eddie Bauer for the first seven months of this year were potentially affected by the POS malware breach. Retailer Eddie Bauer is the latest organization to reveal that it was the victim of a malware breach of its point-of-sale (POS) systems.
Retailer Eddie Bauer is the latest organization to reveal that it was the victim of a malware breach of its point-of-sale (POS) systems. Payment cards used at Eddie Bauer from Jan. 2 until July 17, 2016, were potentially affected by the POS malware breach.
“Unfortunately, malware intrusions like this are all too common in the world that we live in today,” Mike Egeck, CEO of Eddie Bauer, wrote in an open letter. “In fact, we learned that the malware found on our systems was part of a sophisticated attack directed at multiple restaurants, hotels and retailers, including Eddie Bauer.”
The company is working with the FBI to identify those responsible for the attack, and Eddie Bauer is now conducting a comprehensive review of its infrastructure to limit the risk of a future breach, Egeck said.
POS systems are attractive, frequent targets, and in many ways are low-hanging fruit, said security experts.
“These types of targeted point-of-sale malware attacks are continuing to occur on a regular basis, and the news of this latest breach comes as no surprise,” Jeff Man, security advocate at Tenable Network Security, told eWEEK. “For every publicly reported breach like Eddie Bauer, there are literally hundreds of smaller merchants being compromised that we don’t hear about.”
Cesar Cerrudo, CTO of IOActive Labs, commented that he’s not surprised by the Eddie Bauer breach as most companies are always catching up on security. He added that it’s difficult to properly protect against all threats but that companies should be able to quickly identify and contain and isolate attacks, which wasn’t the case with Eddie Bauer.
Payment systems are typically subject to PCI DSS (Payment Card Industry Data Security Standard) compliance requirements, which are supposed to help provide a baseline level of security for retailers. Kevin Bocek, vice president of security strategy and threat intelligence, at Venafi, isn’t a fan of PCI DSS.
“PCI DSS is becoming increasingly circus-like,” Bocek told eWEEK. “It’s the checklist that even retailers agree has become a less-than-effective dinosaur.” Georgia Weidman, CTO and founder of Shevirah, emphasized that PCI DSS is only a small part of a much larger security puzzle.
“Every company that has been spectacularly hacked in the last three years has been PCI compliant—Sony, Target, Anthem, pick your favorite,” Weidman told eWEEK. “Obviously, based on that evidence, while a good step in the right direction, PCI is not sufficient to protect against breaches.” PCI DSS is only a small part of a mature security program that includes testing, not just a specific set of checks the PCI committee picked out on a certain set of IT assets, but rather comprehensive testing on all assets, including humans, mobile devices and physical controls, to assess and mitigate the risk of compromise, Weidman said.
It’s important to understand that demonstrating PCI DSS compliance was never intended to prevent all breaches from occurring, Man said, adding that it was intended to provide some basic level of security to companies that don’t historically pay a lot of attention to data security.
“PCI DSS, when followed correctly, is not intended to stop breaches, but to detect them early and minimize the damage,” Man said. “The original intent of the PCI DSS was to provide a safe harbor for merchants when they experienced breaches, so they could demonstrate that they were practicing some level of due diligence in terms of data security and avoid paying the fines and replacement costs associated with the breaches.”
PCI DSS is extremely valuable when applied correctly, Man said He noted that, unfortunately, too many companies (merchants, vendors and providers) focus more on limiting the scope and reducing the burden of PCI compliance, rather than treating the PCI DSS for what it is—a decent, fairly comprehensive framework for applying sound data security principles in organizations that previously had little or no organized data security practices.