Home Depot: Yet another retail breach.PCI compliance just doesn’t cut it

Retail IT, Security

What do Home Depot, UPS, and Target have in common? Well, aside from all providing budget-friendly furniture, all three have been the recent target of data breaches involving Point-Of-Sale (POS) units containing customer financial information.

Now, when a data breach occurs, someone always has to play the blame game. “It’s the stores fault. Their IT security wasn’t compliant. Clearly they should have fixed x and prepared for y…” Well, I don’t believe approaching these sort of issues from that angle is productive. Security is never infallible and *stuff* happens, so wear a helmet and get used to it or get out of the business.

If you want to blame something, blame the reliance placed on regulations as a means of securing customer information. Regulations are not, and have never been a catchall solution. A chef doesn’t make good food because their restaurant passed a health inspection, yet, in IT security, people throw around the types of compliance they have like that’s something significant. That’s not how it works. If you work in retail IT, then PCI compliance isn’t some sort badge of honor, it’s more like an acknowledgement that you’re not incompetent. If you had a room full of people and you wanted to find the most educated, you wouldn’t start by asking who completed grade-school, so if you only judge a breached business by whether it was compliant or not, you’re asking the wrong questions. Compliance is a minimal requirement and, like most minimum requirements, it logically follows that anything greater than it is better. What we need to start asking then is “could this breach have been reasonably avoided?”

These businesses were legally required to be PCI compliant, but there’s so much more to providing IT security than following some paint-by-the-numbers security guidelines. The key thing about IT security is that you can never eliminate the risk, you can only mitigate it. That leaves one question remaining, could the Home Depot breach have been reasonably avoided?

I can’t easily answer that. Depending on how you look at it, the breach was both avoidable and unavoidable. It’s impossible to know, because we don’t know if Home Depot did a good job securing their customers data, that information hasn’t been released yet. What I can say, is that if more banks had adopted chip based credit cards, then the breach wouldn’t have been as bad. Chip cards are harder and more expensive to “clone” thus making them less valuable to criminals. Would this have prevented the breach? Probably not. Would it have decreased the damage? Yes, significantly so.

If you think about it though, that’s IT security in a nutshell. There’s no such thing as absolute security. The only absolute in IT security is the absolute chance of any system being breached. P(Breach) ≠ 0 and whatnot. If someone wanted to dedicate enough resources, they could breach any system. To combat this, those in IT security must follow a constant process of checking and confirming their systems are as they should be. It’s a process of confirming that vulnerabilities are secured as they are discovered.

In summary:

Could more have been done to prevent the Home Depot breach?

Sure, there’s always more that can be done to improve security.

Does the status of their PCI compliance matter?

Not that much, except from a legal standpoint.

Would having stronger security made a difference?

Not necessarily, but it couldn’t have made it worse.

Now I’m not the kind of guy to self-promote in the aftermath of a major breach, but we have a free eBook on how AuthAnvil can help secure Retail IT. It covers how many of our features can help to meet and surpass the requirements of PCI DSS. So, if you’re interested in what PCI compliance actually requires or are looking to beef up your systems security, just Click Here.

Author: Harrison Depner

ALERT

Attack Vectors: How They Can Harm Your Company

Over the last few years, we have grown accustomed to hearing about cybersecurity incidents affecting companies of all scales andRead More

Shield Icon Cyber Security, Digital Data Network Protection, Future Technology Digital Data Network Connection Background Concept.

3 Vulnerabilities to Plug to Secure Your Customers’ Remote Workforce

The migration to a remote workforce hit fast forward in the past year as businesses around the world asked employeesRead More

The Role of Endpoint Management Tools in IT Security

IT security has been the top priority of IT teams for the past several years. According to the 2020 StateRead More

Two security experts reviewing data

Cybersecurity is Crucial: Things You Must Know From the Latest Federal Hack

Endpoint security is highly critical for an organization, as a single vulnerable endpoint can act as a doorway for cybercriminalsRead More

Download Your Copy of the 2021 IT OPs Survey Results
2021 MSP Benchmark Survey - Download Now

Archives

Categories