Security Means Something Different To A Targeted Retailer

Written by David Taylor
February 11th, 2009

GuestView Columnist David Taylor is the Founder of the PCI Knowledge Base, Research Director of the PCI Alliance and a former E-Commerce and Security analyst with Gartner.

The Heartland and RBS WorldPay breaches should serve to remind us that some types of organizations are real “targets” for bad folks. Banks (and bank robbers) figured this out a while ago. Thanks to distributed computing and the extensive use of service providers who specialize in collecting, processing, managing and storing highly confidential information, there is a “target rich” environment for nefarious folks all over the world.

  • Examples of Targeted Enterprises
    The most obvious examples of companies that bad people target are financial institutions. They know they are targets, and most have implemented technologies and procedures that are more rigorous than PCI demands. Other examples of targeted enterprises we’ve spoken with include transaction and other data aggregators that are service providers in e-commerce, hospitality, healthcare, retail, travel and, of course, financial services. Many of these organizations are not directly processing transactions, so they are often not getting much PCI-compliance pressure from their acquiring banks. Rather, the pressure to secure confidential data is coming from their large corporate customers. For these firms, “beyond PCI” is a competitive advantage, something worth marketing to customers and prospects.

  • Targeted Enterprises Must Go Beyond PCI Compliance
    If this statement seems controversial or negative, I should point out that I’m a big fan of PCI. I’ve built three different businesses around it over the past four years. But the more I talk to leading merchants and financial institutions regarding security and compliance, the more I’ve become convinced that because PCI compliance was designed to be scalable down to Level 4 (SME) businesses and because it doesn’t address emerging technologies and practices (i.e., virtualization, SaaS, tokenization, one-time passwords), there are some clear tools and techniques that targeted enterprises can use to go beyond PCI compliance.

  • Enterprise Key Management
    When Heartland’s management started talking (post breach) about the need to go “beyond PCI,” they spoke specifically about end-to-end encryption. In such a scenario, data is encrypted at the initial point of capture (card swipe, Web site form or mobile payment) and remains encrypted as it travels via internal network and is stored in temp files. The data is only decrypted under very specific, controllable circumstances and by an extremely narrow set of persons and systems. We have talked with organizations that have implemented end-to-end encryption, and the real problem is enterprise key management. For companies that “grow into” end-to-end encryption, key management can rapidly become a nightmare. Based on our research with these leading companies, I’d argue that a tactical approach to key management is very counter-productive. On the other hand, enterprise key management packages tend to be expensive, often north of $500,000 for those firms with enough confidential data to be considered a “target.” Recommendation: Although it’s possible to satisfy PCI requirements 3.4 and 3.6 without enterprise key management, I’d strongly recommend it for targeted businesses.

  • Automated Change Management
    I’ve harped on the importance of automated log management many times in this column, and it is very important. But I also want to mention the importance of putting more code, policies and systems administration under change management control. Although mentioned in PCI, the application of change management can be minimal and a company can still pass. Some of the most secure financial services and other firms have very rigorous change control systems and procedures, making it almost impossible for any malware or unauthorized employees to change access controls, permissions or system software. Because such changes are often necessary and intermediary steps in enabling major data breaches, automated change management can facilitate prevention and/or early detection of potential breaches. Recommendation: Because such tools can be difficult to live with for fast-moving, innovative companies, I would tend to recommend these tools primarily for targeted enterprises.

  • Rapidly Expiring Access And Assets
    What makes some organizations targets is that they have massive volumes of confidential data that has resale value on the black market. Therefore, any tools and techniques that can limit the value of this information are a way to reduce the “attack surface” of the organization. Tools such as one-time passwords (OTPs) and single-use credit card numbers can fundamentally reduce the ability of hackers or insiders to steal massive volumes of data that can be used to generate fraudulent transactions, steal identities, etc. Mobile payment security technologies will greatly increase the awareness and use of OTPs. I would also expect to see greater use of OTPs and single-use cards (along with tokenization) as targeted businesses upgrade their applications and access controls in light of what is likely to be an ongoing series of security breaches of “compliant” businesses.

  • The Bottom Line
    I’d like to hear other examples of “best practices” and other examples of how to cost-effectively go beyond PCI to protect targeted enterprises. For more information, please visit the
    PCI Knowledge Base and/or send me an E-mail at

  • advertisement

    One Comment | Read Security Means Something Different To A Targeted Retailer

    1. A Reader Says:

      I agree completely that good key management is critical to long-term success, but it is both hard and expensive. The problem some organizations find themselves in now is that PCI caused them to rush to protect data across the enterprise, and in that rush they bypassed coordination efforts. They are now stuck with an ad hoc collection of keys and no centralized key managers.

      Retrofitting a key management infrastructure on top of an existing deployment of hundreds of keys is also a challenge. On the plus side, the keys created should all have been well documented in accordance with PCI standards, so it shouldn’t be a nightmare to hunt them down.

      As far as best practices go, a good starting place is the creation of a data security standard. An organization needs to lay out clear principles regarding security. They need to identify the data to be protected, roles that must be filled, separation of duties, types of keys, key life cycles, approved tools, protocols and algorithms, etc. They should also institute a security review process with a qualified party (a reputable PCI auditor or security firm should be able to provide this service.)

      Unfortunately, such things do not simply come in a download off the internet or from a lecturer’s notes, they require creating and fostering an ongoing commitment to data security. Having a stable of qualified security professionals to create this movement is almost impossible for any but the largest of organizations, so these efforts usually require outside help to get them jump-started.

      Sadly, an organization trying to “skimp” on PCI is equally likely to not see the value of the creation of a data security team. Yet these same organizations will spend money on cameras, anti-theft devices, and trained investigators, because they understand the value of physical security. It’s a curious gap.


    StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

    Most Recent Comments

    Why Did Gonzales Hackers Like European Cards So Much Better?

    I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
    Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
    A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
    The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
    @David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

    Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.