Defending against ransomware attacks in the payment card industry

Ransomware is currently the biggest cyber security concern for many businesses, and the danger of an attack is continuing to grow. There has been a 600% growth in new ransomware families since December 2015, according to a recent Payment Card Industry Security Standards Council (PCI SSC) guide, which also reported that ransomware crime cost businesses an estimated $1 billion (approximately £800 million) last year.

This should be particularly worrying for any business that stores, transmits or processes payment card data. Given that many hackers are after money, gaining access to payment card information is their most direct route to their goal.

This is why point-of-sale (PoS) systems are such a common target. They are essential for many businesses to operate, and whether or not the victim organisation pays the ransom, the hackers get what they want.

Train staff to spot the attacks

The PCI SSC advises organisations to train staff to react and respond to ransomware attacks. This is in line with Requirement 12.6 of the Payment Card Industry Data Security Standard (PCI DSS), which states that organisations must “implement a formal security awareness programme to make all personnel aware of the cardholder data security policy and procedures.”

The PCI SSC guide recommends that organisations develop a plan “that educates your employees on the best ways to avoid these types of attacks and how to handle an attack if one does occur”.

Given the connection between ransomware and phishing – with a report from last year claiming that ransomware is delivered in 97% of phishing emails – the PCI SSC advises organisations to make sure their staff know what to do if they suspect they have received a phishing email.

“[Staff] should understand that it’s okay to delete [an] email if it looks suspicious,” the guide says. “Emails can look like they come from anyone in the company. If there are any questions, always contact that person to confirm [that it’s genuine] before clicking on a link or opening a file.”

Responding to a breach

As prepared as an organisation is, the unfortunate reality is that they will probably suffer a successful attack eventually. When that happens, it is important that staff know how to respond and who to contact.

To ensure this is the case, the guide advises organisations to make sure they have an incident response plan in place, and to communicate it with their employees. This is detailed in Requirement 12.10.1 of the PCI DSS, which mandates that organisations create an incident response plan that addresses the roles and responsibilities of staff in the event of a breach.

PCI DSS training courses

If you are responsible for ensuring your organisation is compliant with the PCI DSS, you need to make sure you’re practising the correct procedures to ensure your company stays safe.

To help you better understand and implement the PCI DSS, IT Governance offers a range of training and staff awareness courses.

To help staff take action against phishing attacks, we offer a Phishing Staff Awareness Course. It helps organisations understand how phishing attacks work, the tactics that cyber criminals use, and how to recognise and respond to attacks.

We also have a new staff awareness programme, the PCI DSS Online Course, to provide clear and simple explanations of what companies and individual employees need to do to meet the requirements of the current version of the standard.

For a more in-depth understanding of the PCI DSS, we recommend the PCI DSS Implementation Training Course.

The three-day programme has been designed by a PCI Qualified Security Assessor (QSA) and covers the purpose of the PCI DSS and its objectives and intent, and provides practical advice on implementing the Standard.

By complying with the PCI DSS, not only will you mitigate the risk of losing sensitive information, you will reduce the threat of PoS malware from attacking your systems.

Find out more about the PCI DSS Implementation Training Course >>