Is That Your Data That Just Walked Out the Door?

Written by Walter Conway
January 12th, 2011

A 403 Labs QSA, PCI Columnist Walt Conway has worked in payments and technology for more than 30 years, 10 of them with Visa.

There are a couple of lessons all merchants should take from the unauthorized release of confidential diplomatic cables by WikiLeaks. The first is that the use of personal technology—both computing devices and storage media—increases the risk of a data compromise. The Pentagon’s practice of banning flash drives didn’t stop somebody from bringing in a fake Lady Gaga greatest hits CD (which was the likely attack vector).

Another lesson is that the use of sophisticated personal technology is increasing, and with it comes further risk of a data leak. Many employees are returning to work in this new year with all manner of shiny new laptops, tablet computers, smartphones and other personal devices that Santa dropped off. Many of these devices will connect to your corporate network in some fashion and then to the Internet, where they will send, receive and process E-mail and other files.

From a PCI point of view, these devices increase your risk, and that is why they are already included in PCI 2.0. However, what is new is that with the changes in PCI version 2.0, all this personal technology might expand your PCI compliance effort, too. The reason is that under version 2.0 each merchant needs to “confirm the accuracy of their PCI DSS scope by identifying all locations and flows of cardholder data and ensure they are included in the PCI DSS scope.” If you have more devices, you have more endpoints and more possible “locations and flows of cardholder data.” Imagine your network diagram if it included every mobile device for every user in your organization.

The outcome is that every merchant and processor will want to document the full range of employee-owned devices that might access, store, process or transmit cardholder data, and then include them in the scope of their PCI assessment. The good news is, the scoping instructions included with PCI version 2.0 (see page 10) identify the steps to determine and document your scope. The bad news is, each step will be affected by the expanded use of these personal technologies.


One Comment | Read Is That Your Data That Just Walked Out the Door?

  1. Brad Corrion Says:

    Great column Walt, but I thought you were going to take it a different way. My learning from the Wikileaks scandal is that if you inappropriately classify everything as a secret, then you risk losing sight of the real secrets in the files and files of “almost” secrets.

    The correct approach should be the opposite: apply a cost to keeping a secret, so that you have incentive to not keeping things secret. The network of secret sharing things can be reduced until the result is of minimum size and of maximum efficiency – if you accept you must maintain secrets.

    The parallel to PCI DSS is clear: it may be easy to put everything in scope (from a classification perspective), but the greater scope means too many systems and too many actors are handling sensitive data. It is more costly to segment networks, to use effective encryption, to tokenize, but the result should be an efficiently small network of card data handling actors. Just as we should be encouraging governments to avoid making all things secret, we should avoid putting all systems in scope.

    The higher the cost incentive used to encourage these smaller and tighter domains, the less likely an accidental breach should have absurdly large ramifications.

    Should Manning have had access to the thousands of files he did? Probably not. Should a computer system have easy access to a broad card processing network? Of course not.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.