Defending Against a Breach: Effective Data Security

“When anyone asks me how I can best describe my experience in nearly 40 years at sea, I merely say, uneventful. Of course there have been winter gales, and storms and fog and the like. But in all my experience, I have never been in any accident… or any sort worth speaking about. I have seen but one vessel in distress in all my years at sea. I never saw a wreck and never have been wrecked nor was I ever in any predicament that threatened to end in disaster of any sort.” Edward John Smith in 1907, five years before he died as captain of the RMS Titanic.

The handling of customer data, highly sensitive payment data in particular, bears risk – a risk that is commonly underestimated. The current economic environment, with its overall budget-cutting, has worsened the situation. On the one hand, outsourcing and offshoring of database administrator functions, development and testing is often conducted without adequate controls; on the other, security-related spending has been drastically reduced over the years because the risks can seem intangible and mostly without an immediate effect on the business.

This scenario contradicts the reality of a dramatic increase in the number of breaches – according to the Independent Oracle User Group Data Security Report 2009, the number of data breaches doubled from the previous year, which is alarming. Even if there have not been any problems so far, disaster only needs to strike once, as the vivid example of the Titanic shows and recent high profile security breaches within the cards industry demonstrate.

Data Breaches May Terminate a Business

On the merchant side, for example, a well-known retail group, TJX, was breached in 2008, exposing 45.6 million customers and 80 gigabytes of cardholder data. TJX has set aside US$250m in breach-related costs, while US$17m was initially spent on fines. Banks sued TJX, claiming in the initial filing in October 2008 that 94 million cards were exposed. Three banks have since settled for US$41m in an out-of-court settlement. A group of banks is still suing TJX.

On the side of the acquirers or service providers, Heartland Securities, the fifth biggest acquirer in the US and the ninth biggest globally, is another high-profile security breach example. Early 2009 they announced a security breach that occurred in late 2008, involving over a hundred million records. The same group of hackers as in the case of TJX was responsible. Heartland has recently negotiated its fines settlement with Visa, Mastercard and American Express, totalling a staggering US$105m. Due to the breach, Heartland’s share price dropped by 80%.

It seems obvious that data security is an important and well-known topic, but it is often pushed under the carpet. The major card schemes – American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa International – established the Payment Card Industry Standards Security Council (PCI SSC) to counteract increasing fraudulent activity and to comprehensively improve the protection of customer account data. The PCI SSC developed a set of standards addressing all currently known security weaknesses. To help facilitate the broad adoption of consistent data security measures on a global basis, the card organisations have gradually implemented the standards into their own rules and regulations.

Worldwide Standards are Necessary

The PCI SSC issued several standards to secure the card data on a broad basis, e.g. covering the development of payment applications or the transmission of PIN (see Figure 1). The most prominent and important for merchants is the PCI Data Security Standard (PCI DSS) published for the first time at the end of 2004 and now updated on a two-year cycle. It is a set of comprehensive requirements for enhancing payment account data security, e.g. including requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. A core focus of the PCI DSS is the collection and storage of card data. Given that protection measures are used, some data may be stored but other data may not be stored at all after the approval of a card transaction, e.g. any sensitive authentication data like the card verification number, magnetic stripe data or the PIN (see Figure 2).

Figure 1: Payment Card Industry Standards and Their Relevance

Source: https://www.pcisecuritystandards.org/pdfs/pcissc_overview.pdf

 

Figure 2: Storage and Handling of Commonly Used Elements of Cardholder and Sensitive Authentication Data

Source: Deutsche Bank

 

Worldwide, the standard applies to all parties involved in the payment process. This means that all entities where card data are stored, processed or transmitted must comply with the current PCI DSS requirements. These differ depending on several criteria of the merchants and service providers and include technical measures, organisational measures, requirements regarding documentation, processes, change and release management and other periodical tasks (see Figure 3). PCI accredited auditors periodically assess compliance, handing out PCI certification.

Figure 3: The 12 Sections of the PCI DSS

Source: Deutsche Bank

 

To ease the process of initially implementing the data security requirements, the PCI SSC published a ‘Prioritised Approach’ in March 2009, which groups the 12 requirement categories and their detailed requirements into six milestones. Implementing the requirements in this way ensures that the areas of greatest potential vulnerability are closed first. Moreover, the milestone structure enables companies to prove their PCI compliance progress to their acquirer or other interested parties.

Certification and Compliance – Not Quite the Same

But certification does not automatically imply that an entity is compliant. The certification only states that an entity met all of the PCI DSS requirements as applicable at the time of audit and in the scope that was looked at by the auditors. However, compliance is the daily status of a merchant or service provider in relation to the PCI DSS. If a respective entity introduced anything new into their applications, for example, it must be considered that any change may render the entity non-compliant. Updates in operating system or database security have to be done quickly and efficiently or will lead to non-compliance. Eighty percent of security breaches are through known, and therefore patchable, problems.

In regard to the above-mentioned breaches, although all companies were certified, they were not compliant in at least two of the 12 areas of the PCI DSS. This should not detract from the validity and necessity of the PCI certifications, but it is important to keep in mind, that a certification is simply a snapshot in time, but compliance is the daily task that many companies do not have as part of their development lifecycle.

If a breach were to take place, processing must stop immediately and a forensic investigation must be initiated immediately. This is not only to try and establish the breach mechanism but also secure any further data loss and to substantiate the compliance of the breached entity at the time of compromise.

Being non-compliant would mean that the respective entity would be liable for the costs from the card organisations and receive no support from them. But these fines might just be a minor part of the damage if you take into account the other costs for investigation, reissuing (approximately €15 per card), fraud (up to €3000 per card, taking the average card limit as a basis) and litigation. If these costs do not already jeopardise the future existence of an entity, the intangible reputational damage could.

Being compliant, on the other hand, or showing progress on becoming fully compliant like in the Prioritised Approach can result in waivers of possible fees and penalties as card schemes evaluate the entities’ effort on PCI DSS compliance when assessing non-compliance fines. Entities that comply with the requirements of PCI DSS benefit from safe harbour rules. This means that all the above consequences of incompliance would not apply to the entity if within forensic investigations no evidence of non-compliance with PCI DSS or rules of the card organisations can be found and the entity can demonstrate that compliance is maintained at all times.

PCI DSS Need Not Involve Enormous Investments

Card payments and their vulnerability are the daily business of service providers and acquirers. It is therefore not surprising that these parties do not see the PCI DSS as anything out of the ordinary -it’s day-to-day business. The platform of Deutsche Card Services became PCI-compliant in 2004, the first in Europe, and the high standards have been continuously maintained and justified with the yearly certification. Merchants, on the other hand, often see the importance differently, as card payments are often just one of their accepted payment methods. Even if they see the obvious necessity, they are not enthusiastic about undergoing the process of becoming PCI DSS-compliant themselves as it might involve costly and labour-intensive tasks.

Apart from the benefits PCI DSS compliance brings to a merchants’ general data security, this is understandable. Instead of these merchants abandoning card payments, there is a different solution that is well-established and proven. Special payment interfaces allow merchants to accept card payments without the need to touch the card data at all. With these customers, merchants still enter the data into the online-store of the merchant as usual, but the data is directly entered into the system of the payment service provider or acquirer, passing the obligation to meet the PCI DSS onto them. If a company does not really need the card data, which is true in the most cases, this is an easy way for merchants to protect their business and to help secure overall card payment integrity.

With globalisation, speeding up processes and the ubiquitous collection of data, information is not only key, but also the target and therefore a problem. For this reason varous organisations, such as governments, with their data privacy laws, or independent institutions, such as the International Organisation for Standardisation (ISO), with their standards, promote the importance of data security and enforce its attention by an entity. So PCI DSS is not independent, nor the only security standard, but – next to the protection against the theft and compromise of data and the resulting threat of massive damages – a good start to improving a company’s information security in general. Criminals will always go for the easy target, strengthening a company’s defences it is a major deterrent.

10 views

Related reading