Barbie’s New Cry: “PCI Is Tough.” An RSA Defense Plan
Written by Walter ConwayA 403 Labs QSA, PCI Columnist Walt Conway has worked in payments and technology for more than 30 years, 10 of them with Visa.
In security, timing is everything. Two seemingly unrelated items last week turned out to share an interesting common thread.
RSA’s announcement that its SecurID two-factor authentication product may have been compromised came within days of three major hotel industry associations concluding that their members might be vulnerable to payment card data breaches due to poor security practices coupled with storing vast amounts of payment card data.
Let’s start with RSA. Based on the publicly available information, it appears the company was subject to an advanced, persistent threat (APT) attack. We don’t know the source or what was taken, and we certainly don’t know the full impact. All we know at this point is that merchants using RSA’s SecurID tokens for two-factor authentication may be at risk of having the second factor— that is, the token—compromised.
The way SecurID works is that users who want remote access to a particular system provide their ID and password (the first factor). They then enter a one-time code displayed on the SecurID token (the second factor). If both factors are authenticated, the user is granted access to the system. Up until this breach, the biggest headache associated with the SecurID tokens has been users losing those tokens in hotel rooms, taxis and the occasional washing machine.
Every company on the planet faces the same risks as RSA. It’s just that a security company like RSA is a more visible and attractive target than most. The company is releasing only limited information, and an awful lot of unanswered questions are likely to be bouncing around for a while. Although my (security) heart goes out to RSA, the immediate issue is what should its customers, the retail CIOs, do?
PCI Requirement 12.9 says you need to have an incident response plan, so this is a really good time to dig out yours and follow it. If you use SecurID and you have 10 or 20 of its tokens in your users’ hands, you likely will want to monitor the situation actively. If you have a few hundred or thousand SecurID tokens and you rely on these devices for your two-factor authentication, you should camp on RSA’s Web site and have your RSA contact on speed-dial to get regular status updates.
In the meantime, CIOs need to consider their options. First of all, CIOs need to follow their incident response plan. Nobody I know is saying that two-factor authentication as a technology is compromised. Remember that even if one product (SecurID) is compromised—and no one is saying it is, yet—you still have the single authentication factor left. The problem is that one-factor authentication is not enough for secure remote access to cardholder data.
The most obvious response is to block all remote access to your cardholder data now. If you are using SecurID to control remote access to cardholder data, that means eliminating it until you either find a substitute second authentication factor or the situation is resolved to your satisfaction.
-Marc
March 28th, 2011 at 3:38 pm
As head of one of the hotel associations behind this message, I can’t let this go unchallenged.
This was hardly a profound conclusion by the hotel companies. Most major hotel companies have spent tens or even hundreds of millions of dollars on PCI, starting in the days when it was still called Visa-CISP. Most larger hotels are now fully compliant (or at least as compliant as anyone can reasonably be).
Major CIOs in the hotel industry reached the conclusion a year ago that we needed to take every possible effort to harden the entire industry from credit card thieves; that they were all vulnerable no matter what they did in their individual companies, if the rest of the industry was viewed as a soft target (which clearly it was). The associations rose to the task of helping address this, in support of the extensive efforts over the past decade at major hotel companies.
What you seem to be missing is that the hotel industry isn’t a bunch of big corporations, but rather a fragmented franchise industry. There are over 50,000 hotels in the US alone, and most of them are small independent businesses (many in the $500K – $2M/year revenue range) with little or no onsite IT expertise and only a vague awareness of PCI – but, as you point out, lots of credit card data.
About 30 of US hotels operate independently of any brand, meaning they don’t even have a corporate IT group to provide guidance. And while the remainder are affiliated with brands that mostly have very competent security departments, the majority operate under franchise agreements negotiated many years ago, before PCI existed. That means that the brands have little or no contractual power to force their franchised hotels to comply with PCI.
Each hotel is typically an independent business and merchant, and while of course they should adhere to PCI, the fact is that many don’t, especially among the smaller and non-brand-affiliated hotels. Many hotel General Managers and Controllers truly believe that if they buy a PA-DSS compliant system, they need do no more, that they have met PCI requirements. Many also believe that they are too small to be a target. These conclusions are of course wrong, but they’re not unreasonable conclusions for someone with no IT or security background to reach, and they meet the test of common sense that many laypeople would apply.
And make no mistake, PCI compliance costs money, potentially a lot of money. Any small business owner in ANY industry looking at the PCI requirements (which few small businesses have ever seriously done) is likely to conclude that they can’t afford full compliance. You, I, and the major hotel brands may look at it differently, but we’re not the ones running the systems that aren’t compliant, and we have to convince the people who are. The major hotel brands have invested a ton in security for the systems that THEY own and manage (such as reservations systems), but most of them have NO control over systems that the hotels themselves own and manage. Hotel managers ultimately answer to the owner of the building, not to executives at their affiliated brand.
Because of the inherent disconnect between the need and the ability of many smaller hotels in particular to respond, our association supports efforts to entirely remove sensitive data from hotel systems, a direction many major hotel groups are taking. In fact we were one of the first industries to publish a standard message set for proxying credit card data into a secure vault that could be managed professionally, to remove it from local systems. We are further supporting E2EE-from-the-swipe-device efforts that will allow sensitive data to be handled in complete isolation from local systems. But these efforts will be for naught if the people at individual hotels, who are responsible for purchasing systems, don’t understand what they need to do, and what to ask for.
In an industry with many small owner-operators, trade and professional associations play an important role in communicating critical messages that affect the entire industry. We understand our constituents and their issues, and we talk to them in a way they can understand. They don’t read security publications or PCI bulletins, but they do read material coming from their own trade publications and associations. We could have simply published the PCI manual (and apparently that’s what you’d like us to have done), but we felt it was more important to have them read something that they might actually act on.
The message of which you seem so critical was vetted extensively with senior players in the QSA and forensics communities and at card associations, and their feedback was uniformly very positive – in fact the Director of Incident Response at a major forensic investigation company, who has investigated hundreds of hotel breaches, said this was “exactly” the message he would have written.
So no, it’s hardly an awakening for our industry, it’s part of a long and difficult campaign to persuade small business owners of the risk and of the need to act to manage it. If those who haven’t done so by now need to have the message dumbed down a bit in order to be persuaded, then so be it. There are solutions in the hotel marketplace today that can provide top rate security, but it doesn’t matter a whiff if the people who need them don’t buy them.
April 10th, 2011 at 6:46 pm
Douglas,
Thanks for the thoughtful and detailed comment. I appreciate that the hotel industry is made up of many smaller, independent operators. I also appreciate that the industry associations are working to get the word out about PCI. My point is that hotels — maybe especially the smaller operators — are particularly vulnerable to a data compromise, and just because they are small or technically lacking is no excuse for not protecting the data of their guests (mine included!).
I want to commend your and your colleagues efforts on encryption. But as an association, I would like respectfully to suggest you might do more. For example, it is my experience that most hotels use one of two property management applications. If that’s the case, could you perhaps have those vendors conduct workshops at your next association meeting to show operators on how to configure the app and protect cardholder data? Then, could you record the sessions and post them on your website so other members who could not attend can benefit?
Associations like yours are in a powerful position to have a positive impact on your members. If you haven’t offered PCI training webinars or other information, perhaps it is would be in your charter to do so? If you have, did you record them and publicize their availability widely and often?
My point is that your member hotels are not like other small businesses. The pizza parlor near my house has a standalone POS terminal, and it truncates the PAN on both copies of the receipt. I don’t worry too much about a compromise there. A hotel, however, stores loads of paper and electronic PAN data that attracts the bad guys. I therefore hold them to a higher standard than a small retailer who might not retain any data. Because I hold them to that higher standard — as a QSA and as a frequent traveler — I tried to make the point that just doing part of PCI was not good enough. I think they have to aim higher.
I thank you again for your comments, and I appreciate very much your taking the time to respond to the column. –Walt