Following the news that a Buca di Beppo Parent admits breaching a month after 2 million customer cards sold online, Jonathan Deveaux commented and offered advice for organizations to avoid a similar situation.
Jonathan Deveaux, Head of Enterprise Data Protection at comforte AG:
“If Italian food doesn’t give you heartburn, a data breach will! Cut and copy any news headline in the past five years involving a data breach, and paste the headline right here. Remember Target? The Home Depot? Wendy’s? PaneraBread? Now it’s Buca Di Beppo.
The number of high-profile data breaches is continually growing, and many companies with point of sale (PoS) devices are struggling to implement end-to-end enterprise-wide data security measures.
At comforte AG, we are seeing a trend where companies who process payments, like payments services providers (PSPs) and payment processors, are increasing their overall card data security program. Data security tokenization (not to be confused with payment tokens) is increasingly deployed within these organizations who need to anonymize card data. Data security tokenization allows organizations to remove the actual credit card or debit card number (aka PAN or Primary Account Number) from their databases and files. As a result, if an attacker steals the data from databases or files, the data is worthless to them because they took tokenized data instead of the original PANs. Compliance regulations like PCI DSS mandate this level of card data protection, so these organizations are saving themselves from paying out-of-compliance fees. Companies are also using data security tokenization to handle cross-regulatory requirements for handling personal data, which address GDPR, HIPAA, and others.
What then, can retailers, merchant service providers, and other organizations who process payments, and also have an inventory of PoS devices do? These organizations can also look at deploying security tokenization. Depending on how the network of servers are set up at retailers and merchants service providers, there may be a local server configured at each site, where the PoS devices for that store connect. The local server then connects to the central server in a data center located somewhere else. Security tokenization can be extended to secure card data on these local servers, thus protecting PANs in cases where hackers and bad actors target specific locations to install credit-card stealing malware.
For retailers, merchant service providers, hotel networks, restaurants, and others, it is their brand and reputation that is affected, and we as consumers, suffer heartburn of yet another payment card data breach.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.