There have been many stories released about the Equifax hack since the news broke. The story is still unravelling as more details come to light and more information is being released, but here’s what we know so far.
Equifax, one of the three main credit reporting companies, experienced a major breach that was announced September 8, 2017. Unfortunately, the breach was not contained to that one day. It has come to light that between May and July (inclusive), hackers have had access to the database and all the data that it contains. The company discovered the hack on July 29 and publicly announced almost 6 weeks later. The hack that everyone is talking about, involves records for 143 million people of both Canadian and American citizenship.
So, what happened in the Equifax hack?
Hackers accessed the Equifax server and released sensitive data for 143 million people, including: names, social security numbers, birth dates, addresses, driver’s license numbers, credit card information, and more! Equifax not only stores all this information, but also has records of credit ratings, how much people owe (i.e. lines of credit, mortgages, etc.), and whether they have court judgements against them. With all of this information exposed, it’s the ideal combination for identity theft!
Why is this hack so severe?
Reports have mentioned that this breach could have been avoided, or at least mitigated for several reasons, some of which include:
- Centralized data servers should never be used – Equifax stored ALL the client’s data in a central server. This is a major no-no! As exemplified in this case, that one server was hacked and all the information was exposed. Companies should keep billing information (names, addresses, social security numbers, etc.), financial information (credit card numbers), and miscellaneous supporting documents in separate secure places. Additionally, when multiple servers are used, if one is hacked, the other servers will shut down in response.
- The office culture – often organizations do not put enough resources into security, especially cybersecurity. This area can be easily overlooked, until a breach occurs – when it’s too late. Personnel should have also been well-versed in security protocols – both for early protection, and how to deal with a breach. This breach should not have spanned 4.5 months.
- Follow PCI DSS at a minimum – even though standards do not guarantee security, they are at least a baseline that are required to be implemented. In this case, Equifax should’ve followed PCI DSS (Payment Card Industry Data Security Standard). Evidently, Equifax was not compliant – making the breach that much worse. PCI guidelines require companies to keep billing information (names, addresses, social security numbers, etc.), financial information (credit card numbers), and miscellaneous supporting documents in separate secure places.
How can you become PCI compliant?
If your organization is in the business of accepting credit card payments, you know you need to be compliant with the standards set out by the Payment Card Industry Security Standards Council, and you should know what’s required of you. Now it’s time for the nitty-gritty: what do you actually need to do to make sure your company is PCI compliant?
Get on the Level
PCI compliance is required by the major credit card brands, including Visa, MasterCard, and American Express. The requirements for PCI compliance depend a bit on which cards your business is accepting and how many transactions you process annually. For example, if your company processes up to 1 million Visa transactions in a year, you’d be considered a Level 4 merchant. MasterCard, on the other hand, considers organizations with the same volume of transactions as Level 3 merchants. Your level helps determine what paperwork you’ll need to submit to show compliance.
The next step is to determine which Self-Assessment Questionnaire (SAQ) you need to submit. The SAQs vary based on where you’re accepting payments; vendors selling in a physical store will submit a different SAQ than those selling through an online one. Different types of online stores have different SAQs. The questionnaires are labelled A through D.
For more information on PCI Compliance, click here! If compliance and cybersecurity are keeping you up at night, then download our free whitepaper below on Why Compliance Does Not Equal Security.