Smaller companies that have not attained PCI compliance have become targets by a new wave of cybercriminals, according to GovInfoSecurity. Any firm that deals with financial information is at risk, with the focus shifting from the amount of records that can be stolen to the ease of breaking into a system. The only way a company can ensure that its customers' and partners' information is secure is to employ defenses for every step of a transaction.
Merchants under attack
According to the source, the Global Payments breach of 2011 was one of the most visible of a new type of attack on companies with payment card data. In that case, a payment management company had its defenses penetrated, exposing 1.5 million users' information.
The current threat, Secret Service cybersecurity expert Erik Rassmussen told the source, is to small merchants. These businesses can find themselves with malware in their systems, which the attackers then activate to extract payment card information.
Rassmussen stated that four Romanian hackers recently exploited malware in the systems of more than 100 Subway restaurants. The computers were compromised for more than a year. The increase in danger, according to GovInfoSecurity, comes from the rise in payment card data held by small companies which previously used non-connected point-of-sale systems. Now that every point of purchase is at risk for more companies, the need for PCI compliance is on the rise.
PCI can help
Many small companies, however, are unsure how to proceed with PCI compliance. Security expert John Graham told the source that hackers have become aware of this fact, and the past 12 months have seen a rash of breaches. The firms in question are classified Level 4 by Visa. These merchants process fewer than 1 million individual transactions every year. Non-compliance is common among such companies, at least for the time being.
"Level 4 merchants are a huge hole," Gartner analyst Anton Chuvakin told GovInfoSecurity. "I've met more than a few that don't even know PCI exists."
TechTarget contributor John Weathington wrote that compliance with regulations is just the first step to protecting a company from breaches. He stated that complying with standards is fairly easy for companies, however. Beyond simply reaching those milestones, companies can build on them to form more robust overall systems. Weathington stated that a payment systems company recently forced to pay more than $100 million in damages was hacked despite being in line with regulations.