It’s 2 AM: Do You Know Where Your Data Is?

Written by Evan Schuman
August 7th, 2008

One of the fundamental challenges of PCI compliance is that the rules assume the CIO knows where all of the company’s data is. In today’s typical retail enterprise, though, this can be a remarkably flawed assumption.

This is not to say that most executives don’t know where their data starts and where it’s sent. But as data routes its way through off-site backup, into employees’ laptops and USB flash drives, is shared with key customers and partners over an extranet and even spoken in a call center, that data can end up in quite a few unexpected places.

One of the data residences that often gets ignored by IT executives is off-site storage, said Terri Quinn-Andry, the executive at Cisco who is most directly involved in the vendor’s various PCI efforts.

Quinn-Andry said that she will often ask IT executives if they know how their data is being treated during off-site backup, and they invariably say they do. She’ll then ask them how their off-site backup firm handles that data if the LAN crashes.

Her follow-up question: What then occurs to your data when your network comes back up? "Is the data gotten rid of completely when it comes back up? Or do they just send you a copy? Do they store it only in their data center or do they store it in laptops?"

Most senior execs don’t know the answers to those questions, which is not surprising, given that they rarely know the answers when it comes to their own employees’ actions with regard to data. For example, what data is being taken home at night in laptops or thumb drives? By whom? Do you know if it’s being copied to a home computer? If so, is that home computer used by other family members? If so, do any of those family members visit music-downloading sites or other places where data thieves tend to lurk?

Some in the industry have joked that file sharing via Ethernet may soon be trumped by file-sharing via corporate laptops stolen from cars.

"You need to know where your data is at all times, in rest and in motion," Quinn-Andry said. "The large majority [of executives] don’t know where that data is or where it goes."

This data-tracking problem is not unsolvable, but it can’t be addressed until executives start realizing how little they know about their own data.

"The first step in protecting data is figuring out where it is. And today, they simply do not know all of those places," said David Taylor, a former security analyst with Gartner who today runs the PCI Knowledge Base. "Users know the repositories. What they don’t know is what individuals have done to that information after it’s been received."

A handful of the largest retailers today do track such information, Taylor said, using comprehensive data flow diagrams that "include the flows, the temp files, the repositories, and the types of security—such as access controls, encryption and logging—provided to the data at each point."

But most are not so rigorous, and that can waste a lot of money. "Without such diagrams and process analysis, it is very easy for a merchant to spend a lot of money segmenting networks, implementing access controls for credit card data, only to have to completely re-do the process to protect Social Security numbers and other types of personally identifiable information."

Sometimes, the data leaks can be accidental and not even necessarily something that IT departments would even consider their jurisdiction.

Take, for example, call centers. Although officially discouraged, it’s typical for call center employees to repeat credit card and other sensitive information back to customers for verification. Such information can now be heard by other people in that office, including some who might be tempted to jot it down and try and sell it. The data would have been accessed from a call they hadn’t even taken.

Let’s take that call center scenario one step further. Most customers talking with a call center rep can overhear what that rep’s cubicle neighbors are saying. What if those reps are using voice-over-IP systems at the time? All of those conversations can now easily be converted into data and stored.

Quinn-Andry said her company, Cisco, tries to factor many of these issues into some of its security suites–preventing employees, for example, from copying sensitive data into Word files and even suggesting cubicle distance to reduce data being overheard.

Cisco is soon going to start its PCI push beyond retail and into the healthcare sector. But the world of hospitals, doctors’ offices and laboratories has some key differences with a retail chain. Hospitals, for example, are more resistant to wireless communications because of the potential interference with medical testing devices.

Medical facilities also have other data handling rules to contend with, such as 1996’s Health Insurance Portability and Accounting Act (HIPAA). Taylor notes that HIPAA has just recently started to try and get tough about enforcing its own data regulations.

"HIPAA’s been around for 12 years and the first HIPAA audit that resulted in a fine just happened," Taylor said, referring to a July 16 fine for $100,000 assessed to the Providence Health & Services company in Seattle. "This is the start of them getting serious about enforcing the security of personal health data. Hospitals and others are sitting up and taking notice."

Although medical facilities do tend to take privacy issues more seriously than the typical retailer, the ROI challenge is similar. The only CIO-to-CFO argument to spend more money on security isn’t rooted in profit and revenue. It’s based almost exclusively on risk-avoidance. For both retailers and healthcare, the risk is legal as well as the potential for losing customers.

But the loss of private information without immediate and significant financial impact can be a difficult case for a consumer to win in court.

As for the loss of customers following a well-publicized major breach, the experiences of TJX and Hannaford—which both had massive breaches and bad publicity, with neither enduring revenue loss—suggest that hospitals have little to worry about.

After all, if a massive breach won’t get consumers to make the effortless change of shopping at BestBuy versus Circuit City, what are the chances it will make them change doctors or hospitals?


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.