All retailers, whether they are taking payment online or offline, must keep their customers’ payment card data secure. They can ensure data security by complying with PCI DSS compliance standards.
Our client, a leading retailer of accessories and jewellery in Europe, asked us to assess the security of its cardholder-data environment to ensure it was compliant with PCI security standards. We carried out a variety of tests on the external and internal infrastructure, as well as an application assessment and firewall assessment, and a till analysis on a sample till located in client's head office.
Our application assessment showed that the application was missing several critical security patches for its databases and also using outdated software versions with numerous vulnerabilities. We also found the application was using clear text protocols, like FTP and Telnet, which put sensitive data, such as username and password, at risk. Our till analysis showed that the till environment was insufficiently secured since we were able to break out of the restricted environment to perform privileged commands on the device.
Our review of the client’s firewall rules showed these allowed very open access, so that if a specific host was compromised in the future, the attacker would effectively have unlimited access to the entire affected network range. In addition, the firewall security was not enabled and the security level of rule configuration was weak as, like the client’s application, it permitted access using clear text protocols.
Our report identified the issues we had found to give our client a clear understanding of the gaps in its security. We also provided a detailed set of recommendations on how to remediate these issues and raise security to a level compliant with PCI security standards.
If your business requires PCI compliance, contact one of our PCI Qualified Security Assessors now or learn more about our PCI audit and compliance capabilities.
To develop your own audit and compliance capability, consider taking our Payment Card Industry Data Security Standard (PCI DSS) Implementation training course.