PCI Compliance Meets Cybercrime-as-a-Service

The software-, platform-, and infrastructure-as-a-service models that dominate the applications space today have proliferated well beyond the conventional consumer and enterprise markets. It turns out that their many benefits for scale, maintenance, and profitability have not been lost on cyberspace’s underworld.
The very notion of cybercrime as a service (CaaS) might sound bizarre, but it is most definitely here—complete with tech support and customer service. Cybercriminals have not only found fertile ground in marketing their malicious toolkits to the hacker community, they have actually spawned a whole new class of “intellectual property.” Selling malware in off-the-shelf and even customized versions, it is their customers who are perpetrating the kinds of attacks we’ve see at Target, Home Depot, and in other high-profile breaches.
While professional-grade cybercriminals make up a mere 20% of all such actors, the 80% comprising the less-talented, garden variety hackers now have access to the most sophisticated—and fully supported—tools with which to execute their nefarious deeds. And with minimal investment. No longer do run-of-the-mill cybercriminals need technical expertise to develop spyware, rootkit, ransomware, and other toolkits; they can now access cutting-edge malware that comes complete with a user-friendly administration console and dashboard! And if a cybercriminal needs something truly special, he can outsource development to “professional services” providers who will create an exploit for a specific vulnerability—on demand.
Consequently, “Dark Web” marketplaces are thriving. And the spoils from credit card data breaches find an equally accessible clearinghouse market. In fact, the Target breach was exposed by security investigator Brian Krebs when he “bought” a block of the stolen card data in his process of sleuthing the breach. Payment card information is one of the easiest types of data to convert to cash, and is, therefore, the preferred choice of cybercriminals.
So what can you do about it? Start by realizing that every major payment card data breach happened to companies that were not compliant to the PCI DSS standard. It’s true. Dr. Anton Chuvakin, research director, security and risk management at Gartner, went as far to say, “I am waiting for that one breach that affected a company that really did take PCI DSS to heart and did everything well. It just doesn’t happen. A lot of people are outraged over the ‘no PCI-compliant company has ever been breached’ line that some on the PCI Security Standards Council mentioned a few years ago, but I happen to actually believe that.”
At MediaPro, we believe it, too. The fact is, the weak links in the vast majority of security breaches are traced to employee behaviors—behaviors that if properly informed and shaped, would have prevented the breach.
Want to learn more about protecting your organization from off-the-shelf cybercriminals? Check out our recent eBook on PCI DSS compliance strategies that actually work. Then let us help you put real data protection to work in your organization.

Share this Post