Last week the hacking groups Anonymous and TeaMp0isoN announced that they have joined forces in an operation dubbed ‘Operation Robin Hood’ whose mission is ‘to take credit cards and donate to the 99% as well as various charities around the globe’. The groups claim that they have already taken ‘Chase, Bank of America and CitiBank credit cards’ with big breaches across the map.
Regardless of the truth behind these claims, how can organisations stop these sorts of attacks succeeding? Whether hackers are trying to steal credit card details from banks, retailers or another part of the transaction chain, the best way to protect cardholder data is using strong encryption secured in hardware.
When cardholder data is in transit, the most secure method of protecting that data is via Point-to-Point Encryption using Hardware Security Modules (HSMs). Most Qualified Security Assessors (QSAs), the auditors for assessing compliance to PCI DSS, recommend or require hardware security modules (HSMs) to manage data protection (see here).
In addition, the Point-to-Point Encryption (P2PE) requirements document recently published by the PCI Security Standards Council makes extensive reference to HSMs rather than software solutions. One reason for this is that the document looks to improve security by focusing on key management and separation. It would be extremely difficult to prove to a QSA that these requirements are being met without using an HSM (see here).
PCI DSS mandates that cardholder data must be protected when in storage. Tokenisation, the process of replacing credit card numbers with a random value, is often deployed to meet this requirement. This means that the database which stores the tokens and their corresponding numbers becomes a point of vulnerability. Again, the best way to protect token databases is with strong encryption using HSMs.
Organisations cannot stop hacks from happening, but using good security practice provides the best chance of stopping them from succeeding.