01-17-12 | Blog Post
Strafor, the latest target of hackers, lost credit cardholder data in December that was released to the public later that month. The data belonged to thousands of customers, including politicians, military officers, government officials and business executives.
Stratfor is a private international affairs research firm that may have not encrypted data before storing it in its database, allowing hackers to access and release customer credit card numbers. As a result of lax online security, the firm’s website was taken down and lost a month’s worth of subscriptions – forcing the company to draw on its savings to survive.
The PCI DSS (Payment Card Industry Data Security Standard) is regulated by major industry card-issuers, including VISA, American Express, Discover, MasterCard and JCB International, and applies to companies that accept, store, process and transmit cardholder data.
The second goal of the 12 requirements is to Protect Cardholder Data. Within this goal, requirement #3 states the company must protect stored cardholder data, while Requirement #4 explicitly states:
Encrypt transmission of cardholder data across open, public networks.
Detailed requirements of encryption include using industry best practices to implement strong encryption for authentication and transmission over wireless networks or networks connected to the cardholder data environment. When it comes to outsourcing a hosting solution, your PCI hosting provider should provide evidence that the network is secure and encrypted.
The provisions also strictly forbid sending unprotected PANs (Primary Account Numbers) by email, instant messaging, chat, etc.
Stratfor’s subsequent steps will be to limit the scope of compliance by outsourcing credit card processing to a vendor. They are also revamping their website, email and internal systems with the help of an Internet security firm.
Zappos, the online shoes and apparel retailer owned by Amazon, most recently suffered a data breach that may affect more than 24 million customers. An internal email to their employees reports that a hacker gained access to their internal network through one of their servers located in Kentucky.
Although they report that no credit card or payment information was accessed, they are urging customers to change passwords on their online accounts. Names, contact information, password hashes and the last four digits of their credit card numbers were accessed. The company has not released any other details about the incident due to the ongoing investigation.
Need more information about PCI compliance? Watch our pre-recorded PCI webinar series hosted by Online Tech and led by expert Adam Goslin, co-founder of High Bit Security.
Payment Card Industry (PCI) Data Security Standard: Requirements and Security Assessment Procedures Version 2.0
Stratfor Relaunches Web Site in Wake of Attack
Zappos Latest Company Hit by Data Breach
Zappos Hacked; Notifying 24+ Million Zappos.com and 6pm.com Customeres of Breach and to Reset Passwords