Security Means Something Different To A Targeted Retailer
Written by David TaylorFebruary 11th, 2009
GuestView Columnist David Taylor is the Founder of the PCI Knowledge Base, Research Director of the PCI Alliance and a former E-Commerce and Security analyst with Gartner.
The Heartland and RBS WorldPay breaches should serve to remind us that some types of organizations are real “targets” for bad folks. Banks (and bank robbers) figured this out a while ago. Thanks to distributed computing and the extensive use of service providers who specialize in collecting, processing, managing and storing highly confidential information, there is a “target rich” environment for nefarious folks all over the world.
The most obvious examples of companies that bad people target are financial institutions. They know they are targets, and most have implemented technologies and procedures that are more rigorous than PCI demands. Other examples of targeted enterprises we’ve spoken with include transaction and other data aggregators that are service providers in e-commerce, hospitality, healthcare, retail, travel and, of course, financial services. Many of these organizations are not directly processing transactions, so they are often not getting much PCI-compliance pressure from their acquiring banks. Rather, the pressure to secure confidential data is coming from their large corporate customers. For these firms, “beyond PCI” is a competitive advantage, something worth marketing to customers and prospects.
If this statement seems controversial or negative, I should point out that I’m a big fan of PCI. I’ve built three different businesses around it over the past four years. But the more I talk to leading merchants and financial institutions regarding security and compliance, the more I’ve become convinced that because PCI compliance was designed to be scalable down to Level 4 (SME) businesses and because it doesn’t address emerging technologies and practices (i.e., virtualization, SaaS, tokenization, one-time passwords), there are some clear tools and techniques that targeted enterprises can use to go beyond PCI compliance.
When Heartland’s management started talking (post breach) about the need to go “beyond PCI,” they spoke specifically about end-to-end encryption. In such a scenario, data is encrypted at the initial point of capture (card swipe, Web site form or mobile payment) and remains encrypted as it travels via internal network and is stored in temp files. The data is only decrypted under very specific, controllable circumstances and by an extremely narrow set of persons and systems. We have talked with organizations that have implemented end-to-end encryption, and the real problem is enterprise key management. For companies that “grow into” end-to-end encryption, key management can rapidly become a nightmare. Based on our research with these leading companies, I’d argue that a tactical approach to key management is very counter-productive. On the other hand, enterprise key management packages tend to be expensive, often north of $500,000 for those firms with enough confidential data to be considered a “target.” Recommendation: Although it’s possible to satisfy PCI requirements 3.4 and 3.6 without enterprise key management, I’d strongly recommend it for targeted businesses.
I’ve harped on the importance of automated log management many times in this column, and it is very important. But I also want to mention the importance of putting more code, policies and systems administration under change management control. Although mentioned in PCI, the application of change management can be minimal and a company can still pass. Some of the most secure financial services and other firms have very rigorous change control systems and procedures, making it almost impossible for any malware or unauthorized employees to change access controls, permissions or system software. Because such changes are often necessary and intermediary steps in enabling major data breaches, automated change management can facilitate prevention and/or early detection of potential breaches. Recommendation: Because such tools can be difficult to live with for fast-moving, innovative companies, I would tend to recommend these tools primarily for targeted enterprises.
What makes some organizations targets is that they have massive volumes of confidential data that has resale value on the black market. Therefore, any tools and techniques that can limit the value of this information are a way to reduce the “attack surface” of the organization. Tools such as one-time passwords (OTPs) and single-use credit card numbers can fundamentally reduce the ability of hackers or insiders to steal massive volumes of data that can be used to generate fraudulent transactions, steal identities, etc. Mobile payment security technologies will greatly increase the awareness and use of OTPs. I would also expect to see greater use of OTPs and single-use cards (along with tokenization) as targeted businesses upgrade their applications and access controls in light of what is likely to be an ongoing series of security breaches of “compliant” businesses.
I’d like to hear other examples of “best practices” and other examples of how to cost-effectively go beyond PCI to protect targeted enterprises. For more information, please visit the
PCI Knowledge Base and/or send me an E-mail at David.Taylor@KnowPCI.com.
-Marc
February 12th, 2009 at 1:25 am
I agree completely that good key management is critical to long-term success, but it is both hard and expensive. The problem some organizations find themselves in now is that PCI caused them to rush to protect data across the enterprise, and in that rush they bypassed coordination efforts. They are now stuck with an ad hoc collection of keys and no centralized key managers.
Retrofitting a key management infrastructure on top of an existing deployment of hundreds of keys is also a challenge. On the plus side, the keys created should all have been well documented in accordance with PCI standards, so it shouldn’t be a nightmare to hunt them down.
As far as best practices go, a good starting place is the creation of a data security standard. An organization needs to lay out clear principles regarding security. They need to identify the data to be protected, roles that must be filled, separation of duties, types of keys, key life cycles, approved tools, protocols and algorithms, etc. They should also institute a security review process with a qualified party (a reputable PCI auditor or security firm should be able to provide this service.)
Unfortunately, such things do not simply come in a download off the internet or from a lecturer’s notes, they require creating and fostering an ongoing commitment to data security. Having a stable of qualified security professionals to create this movement is almost impossible for any but the largest of organizations, so these efforts usually require outside help to get them jump-started.
Sadly, an organization trying to “skimp” on PCI is equally likely to not see the value of the creation of a data security team. Yet these same organizations will spend money on cameras, anti-theft devices, and trained investigators, because they understand the value of physical security. It’s a curious gap.