jump to navigation

Collective Security & the Payment System June 11, 2012

Posted by Heather Mark in Laws and Leglslation, PCI DSS, Politics.
Tags: , , , , , , , ,
1 comment so far

I recently attended an event focused on payment security and fraud prevention.  It was an outstanding event and the presentations and panels were incredibly valuable – not something that I frequently say about payment security events these days.  However, one term came up a couple of times that got me thinking.  That term was “collective security.”  As many of you know, I have a background in public policy and my dissertation was, in fact, on US foreign policy and our strategic interests abroad, so the mention of collective security set off my poli sci radar.  But I wondered if collective security was really an appropriate phrase for what we’re doing in the payments industry.  To address that question, it is necessary to first define collective security in its traditional sense.

Collective security was first formally introduced by the Peace of Westphalia in 1648, a series of treaties that put an end to a number of wars that had been plaguing Europe.    Very simply put, collective security is an arrangement in which all stakeholders agree that their security depends upon the security of each of the other stakeholders.  (more…)

“Poisoned Apple?” – OSX Lion Encryption Passwords Insecure May 7, 2012

Posted by Chris Mark in cybersecurity, Industry News, InfoSec & Privacy, PCI DSS.
Tags: , , , , , , , , ,
add a comment

For years many Apple purists (I used to be one) have been touting the inherent security of the Apple operating system.  According to Techcrunch in February, 2012 it was discovered that OSX Lion (the newest OS from Apple) had a major security weakness and released widely within the last few days.  It was disclosed that the FileVault encryption passwords are now visible in plain text outside of a computer’s encrypted area.  This effectively renders the encryption useless as the keys (the passwords) are not secure.  While it was originally believed that the vulnerability as specific to the encrypted File Vault solution, it appears now that the vulnerability is larger…potentially much larger.  Sophos Naked Security blog states: “Anyone with access to the disk can read the file containing the password and use it to log into the encrypted area of the disk, rendering the encryption pointless and permitting access to potentially sensitive documents. This could occur through theft, physical access, or a piece of malware that knows where to look.”    Key management and password security continue to be the weakest link in most encryption implementations.

“Blaming the Victim and the PCI DSS is…Passe”- PCI DSS; GlobalPayments & Data Theft April 1, 2012

Posted by Chris Mark in Data Breach, Industry News, InfoSec & Privacy, PCI DSS, Risk & Risk Management.
Tags: , , , , , , , ,
add a comment

In an effort beat the “PCI Evangelists”; “wagon jumpers”, “naysayers”, and “PCI Haters” to the punch, I am publishing my post on a Sunday evening.  By tomorrow morning the speculation on how the GlobalPayments compromise occurred will be in full swing and no doubt, many will have already condemned the company for “PCI DSS non compliance” or being “sick, lame, or lazy” when it comes to their PCI DSS compliance or information security.  Others will have published articles condemning the PCI DSS as ‘ineffective’, ‘irrelevant’, or simply ‘stupid’.

Before they are condemned I want to go on record and say it NOT a PCI DSS compliance issue that caused the compromise. Like Heartland Payment Systems, Royal Bank of Scotland Worldpay and many more before them, GlobalPayments has been held out as the paragon of PCI DSS compliance for years.  Now that they have been breached they will be expected to wear a scarlet letter for the foreseeable future. I have no doubt that by the end of next week their status as a “Level 1 PCI DSS Compliant Service Provider”  will have either been revoked by the card brands or be under “review”.In the same vein, there will be many who shout from the rooftops that the PCI DSS is “irrelevant”, “outdated” and so on.  Neither of these positions are accurate.

Here it goes…(drum roll please)…

The PCI DSS is a solid set of information security controls and represents minimum necessary controls to minimize the likelihood of data compromise through common, identified vulnerabilities. (more…)

PCI DSS and Piracy January 12, 2012

Posted by Heather Mark in PCI DSS, Piracy & Maritime Security.
Tags: , , , , , , ,
add a comment

I’ve been reading quite a bit on piracy lately. Not the adventurous, swashbuckling tales of pirates flying down the Spanish Main, but piracy in its present form. From a purely detached perspective, its an interesting exercise in cause and effect. Natural disasters, for example, have an impact on the surge in piratical acts. The Christmas Tsunami left many Somali fishing villages devastated and took the last legal means of sustenance from many families that depended fishing for their survival. As a result, they turned to piracy. Of course, that is not to say that Somali pirates are the Jean val Jean’s of their day, the thief with the heart of gold doing only what is necessary to survive.  These pirates are violent and aggressive and should not be coddled.  The interesting comparison to the PCI DSS, in my mind, derives from the impact of the crime on the industry and the global reaction to the phenomenon.

Impact of the Crime

Piracy is a crime that has an impact on all consumers. Higher insurance rates, security contingents, longer routes and therefore higher fuel costs, and similar circumstances that result from piracy mean higher prices for consumers.  Any costs that cannot (or will not) be absorbed by the manufacturer or the shipping company are passed on to the consumer. Similarly, data thieves have very definitely left their mark on the consumer. Those of us involved in the electronic payment industry recognize better than most the increased cost structure that has resulted from trying to achieve and maintain compliance with the PCI DSS and the countless data security, data breach notification and consumer privacy laws at play in the United States. Ongoing compliance and security monitoring, evaluating the threat landscape and the cost of validating compliance can quickly add up for companies.  Organizations that are already seeing their margins get squeezed are required to spend additional resources on security and compliance to ensure the safety of consumers’ data. Those costs can sometimes be passed along to the consumer.

Global Reaction

Data security and piracy were both issues that “flew under the radar” until high-profile instances brought them to the public awareness. In the world of transoceanic shipping, the issues that brought awareness were a couple of kidnappings for ransom and the hijacking of the Maersk Alabama. It’s important to note, however, that even before these incidents, the shipping industry and governments worldwide were working on standards and regulations that would mitigate the problem. The reaction from the industry should sound very familiar to veterans of the PCI DSS compliance world – “The standards are too prescriptive.”  “The standards were written by people that don’t
really understand the issues.”  “How are you going to ensure that everyone is complying with these standards?’ “The cost of complying with the standards are too burdensome for small companies.” These concerns should resonate with payment security professionals. The same questions and concerns are often raised about the PCI DSS.

For the payment industry, the events that really brought public awareness were a couple of high-profile data breaches at well-known retailers. The question really is, though, “What is the alternative?”  If neither industry had done anything to address these growing issues, the constituents in the industry would have raised the alarm about the apparent lack of concern from the powers that be.  The catch-22 of the creation and enforcement of the standards is that even though these standards achieve their objective of raising industry awareness and attempting to mitigate the risk of adverse events, the companies that suffer piracy attacks or data breaches are still often cast as the villian (as opposed to the victim) in the scenario.

What’s the Answer?

That is the crux of the matter – are the issues of data security and high seas piracy “solvable?” There are a variety of issues that drive the increase in both crimes.  Economic stability, the ability of governments to project their authority into these areas, jurisdictional cooperation and other factors drive the growth of both types of crimes.

While I cannot confidently address permanent solutions to either problem, I can suggest a shift in perspective. In the realm of data security and payment security, practitioners often attempt to solve the problem by layering more and more technology in front of the sensitive data.  Tokenization is one example of how a shift in perspective can provide alternative solutions. Extracting value from the data makes significantly less attractive to thieves. So instead of asking, “How can we keep thieves from accessing the data?” one might ask “What can be done in the transaction processing chain to render the data unusable to thieves?” We are currently retro-fitting security onto a system that has been in place for fifty years. If we were to remove any preconcieved notions of what a payment infrastructure should look like, what would we design?

Standards Aren’t Security and We Shouldn’t Expect Them to Be January 11, 2012

Posted by Heather Mark in InfoSec & Privacy, PCI DSS.
Tags: , , , , , , , ,
add a comment

Today I saw an article about the PCI DSS in which the author lamented that, although progress had been made, there were still significant flaws in the Payment Card Industry Data Security Standard. I have seen a great many articles centered on the same idea: Though good in theory, the PCI DSS is just too flawed to work. I would argue that, in many ways, the PCI DSS is doing exactly as it is intended. Now, I do have to take off my academia hat here a bit and admit that, without a comprehensive policy and  program evaluation, it is simply not possible to accurately determine the efficacy of the standard. We cannot determine that a certain population of individuals has been spared identity theft as a result the implementation of PCI DSS or rising compliance rates. What we have is anecdotal evidence that, despite the best efforts of the card brands, the Qualified Security Assessors and everyone involved in the payment transaction chain, data breaches continue to occur and may even be growing, in terms of frequency and magnitude. Since anecdotal evidence seems to be the central data point in these arguments, I’d like to share some anecdotal evidence of my own.

I’ve been involved in the payment card industry, and specifically in the security side of it, for too many years to admit. When we began working with Visa’s Cardholder Information Security Program (CISP), the predecessor to the PCI DSS, many companies had no data security programs in place. In fact, we would often see global ecommerce companies that didn’t run anti-virus or have properly configured firewalls. It was not uncommon to ask about incident response plans and have the IT supervisor respond with “we unplug.”  Literally, they would pull the Cat 5 cable from the wall and pull their entire site down until they could figure out the issue.

In the intervening years, we’ve seen the industry make significant strides in their understanding and awareness of security issues. Merchants, third-party service providers, even consumers, have come light years in terms of knowing the questions to ask, the technologies to employ and the policies to implement. Security discussions around the protection of cardholder data have evolved to a very sophisticated place. Ten years ago, discussion about what is or is not cardholder data were unheard of, whereas today they are almost commonplace. In that regard, the PCI DSS has been successful. Has it stopped any data compromises? It’s difficult to judge that, but it has certainly driven companies to take security seriously and the ensuing noise around the standard has driven, and continues to drive, technological innovation in the security space.

Yet the most significant flaw in the standard is not with the standard, per se. It’s with the dependence on the standard as a comprehensive security program. It is certainly up to the discretion of each company to determine how far beyond the standard they need to reach in order to address the threats in their environment. Yet each time a compromise occurs, the first thing we hear is that it is another failure of the standard. No standard, regulation, law or best practice, regardless of how well written it may be, is going to address every contingency. Certainly there is room for debate about whether a compliant company can be compromised, but let’s remember that the standard is necessarily vague in some areas to account for the wide variety of business models in the industry. If it were otherwise, we’d certainly hear about how the standard is too prescriptive (and that charge has been leveled at the standard with equal ferocity as the too vague accusation) and still does not prevent all the compromises.

The important thing to remember is the objective of the standard is the protection of cardholder data. If you, as an individual responsible for data security or compliance, recognize an area of risk to the company or its customers that is not addressed by the PCI DSS, it is your (and your company’s) fiduciary duty to act. Court cases are now wending their way through courts to determine whether or not there is an implied contract between companies and their customers. If such a decision is made, then PCI DSS or no, companies will be held responsible for the loss of that data, and likely for a broader swath of data than is contemplated in the PCI DSS. Compliance is not an excuse to cede control of your security program. While the PCI DSS has a lifecycle of three years, companies should be constantly evaluating their threat environment and ensuring that their security program adequately addresses the risks to the data.

%d bloggers like this: