Still Think You're Not Vulnerable?

The bad guys increasingly target small businesses.

We know that as a fact from published statistics, and now from a recent incident reported Aviva Litan in her Gartner blog.  In this case, a small restaurant in an equally small town had their POS system hacked.  The bad guys got away with a load of card data, with the result that a disproportionate share of local residents (including any number of the local police force, many of whom at at the restaurant) have their cards compromised.

The stolen cards have been used all over the world, so it's unlikely the bad guys will be caught.  The cardholders will be inconvenienced, but likely made whole by their card issuers.  The issuers will face the losses, but it is the hapless restaurant that will likely suffer the most at the hands of the card brands and their acquirer.

If a data breach can happen at a small merchant in a rural town, I hope everyone reading this realizes the same can happen to a university merchant just as easily.  The bad guys are scanning your systems every day, but one big difference between them and your ASV is that your ASV gives you a report of your vulnerabilities.

Combine the vulnerabilities of small merchants with the visibility and vulnerabilities of higher ed institutions, and we can see that PCI compliance truly is not an option.