This is page 2 of:
PCI Compliance Could Have Stopped Gonzalez
Once the Gonzalez conspirators broke through the perimeter using one or more of the above techniques, they used custom-developed malware (in most cases, packet sniffers), designed to exploit known weaknesses in the POS systems, networks and operating systems used by the targeted merchants and capture credit card data as it flowed through the compromised systems.
There are PCI DSS controls related to system configuration management (Req 2), file integrity monitoring and log management (Req 10), and network segmentation (Req 1) which could have detected the malware on the systems or the transfer of files through the network and out of the company back to the criminals.
But there is tremendous variability in the merchant community as to how (and how well) these standards are implemented. In my experience, it’s all about measurable effectiveness. In some cases, the design of the standards may not be effective because they left out specific technical considerations. In other cases, the implementation and testing of specific controls may not be effective, due to the lack of sufficiently diverse or detailed test cases. It’s not that criminals are smarter than the “good guys,” but they are often more persistent, testing out thousands of different exploits until they find one that works.
I agree with the security expert in Evan’s story that it’s not all that hard for a very skilled criminal to figure out a way around security controls, once they are on the “inside,” assuming that by this point they have invested sufficient time and effort that they will do whatever is necessary to finish their criminal enterprise.
My point here is that there are PCI DSS controls that were designed to prevent most of the nefarious actions of the criminals in this case. But these are “standards,” after all, designed by a committee, reviewed and approved by a bunch of companies. To say that standards developed through such a process have “failed” because the standards, in and of themselves, were insufficient to stop highly skilled and highly motivated criminals is to misunderstand the purpose of standards in this context.
PCI DSS has to be regarded as a “minimum” level of data security, sufficient to stop your “basic” criminals. But if a merchant wants to stop this sort of “organized crime” or a “criminal conspiracy,” they have to implement “above average” security so that it’s harder to break in, harder to install malware without detection, and harder to move their ill-gotten data out of the company once it’s been “ill-gotten.” If I were cynical, I would say that the goal of data security is not to stop criminals, just to make it harder to steal from you than from your neighbors (or competitors).
I’m not trying to pick a fight or insult my many friends in the retail industry. But I am trying to make a distinction between standards as a generic, even basic, set of security guidelines and an above average level of security that goes “beyond PCI” or certainly beyond a basic implementation of the standards, in such a way that it is sufficient to cause hackers to “look elsewhere” to find an easier target. If you think I’m being unfair (or a Visa suck up), let me know. Either visit the PCI Knowledge Base, and use our “Contact us” page, or if you want to have a personal discussion about what an idiot I am, just send me an E-Mail at David.Taylor@KnowPCI.com.
Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code.
-Marc
