Target admitted last week that the credit and debit card information of tens of millions of its customers had been obtained by thieves. The criminals reportedly made off with the data–including the card number, the card owner’s name, and the card expiration date and CVV code–of 40 million credit and debit cards used at Target stores between November 27 and December 15. Though Target hasn’t released any information on how they think the security breach occurred, many IT security experts believe that it must have been a highly-sophisticated attack and that it may have involved someone that had access to or knew a lot about Target’s payment card processing system. And though there are many aspects of this security breach that are unique—such as the amount of data stolen, the fact that it happened to one of the biggest retailers in the country, and the fact that it happened during the busiest time of the year for retailers—there are still several lessons that ordinary businesses with a much smaller number of customers can learn from this incident, including:
It’s important to comply with the PCI DSS. The Payment Card Industry Data Security Standards (PCI DSS) require businesses to encrypt customers’ credit and debit card information. The PCI DSS also prohibits the storing of CVV codes. Target will have to pay a considerable fine if it turns out that it violated the PCI DSS.
IT infrastructures need 24x7x365 protection. With 24x7x365 security monitoring, Target might have been able to detect the initial attempts to breach its network or revoked access to the hackers at any point during the 19-day intrusion.
Internal security should be as high of a priority as protection from external hackers and malware. The possibility that the Target breach may have involved a Target employee is a reminder that internal security controls are just as important as protections from external threats. Some of the internal security measures that businesses should consider implementing include: access logs, access control (for example, access to databases that contain customers’ credit card information should be restricted), and security policies (for example, requiring employees to pick a strong password and change it every couple of months, and changing employees’ passwords whenever they leave the company).
To protect themselves from security breaches like Target’s, businesses should sign up for IT security services from SACA Technologies, a leading provider of outsourced IT Orange County and technical support Orange County services. Some of the IT security services that we offer include 24x7x365 infrastructure and network monitoring, firewall installation and management, malware removal, internal security assessments, and PCI DSS audits. Contact us at firstname.lastname@example.org or 1-888-603-9030 to sign up for any of our outsourced IT Orange County or technical support Orange County services today!