Are Standards Like PCI-DSS Doing Enough to Protect Cardholder Data?
By Jason Brooks, J-Sec Consultancy
Bear with me and I will circle back round to the question in the title.......
Long gone are the days of the traditional crook with a bag marked swag and a sawn off shotgun. Today's crook is highly intelligent with sophisticated methods of breaching your IT security perimeter and exfiltrating your data. As I trawl through my inbox, I receive an all too familiar email "Important Update Regarding Your Account" which goes on to explain how on a specific date the organisation has been victim to criminal activity resulting in the theft of my data, including name, address, email address and varying digits of my banking data/credit/debit card information etc., etc.
We all know that a breach will typically affect the shareholder value of the impacted company on the day of announcing that breach. For small businesses, this may have direr consequences.
For example, TalkTalk shares recently reduced by 25% after their 3rd data breach in 2015.
Are these losses in both a company valuation and public confidence enough for many businesses to re-evaluate and implement the right controls to prevent and quickly detect breaches of this nature? Are we as humans and consumers simply becoming numb/apathetic to the volume, velocity and value of breaches today?
What value do you put on your personal data?
Well, The Ponemon institute has an answer: the cost of a data breach varies between $154 global average per record to $363 per record, depending on many factors like geography and value of the data obtained. That is the cost to the business, not to you as an individual. No, in fact, when your data is compromised and used fraudulently, you enter a world of hurt for the next 2-3 years sorting the mess out. Given the volume of breaches, it is becoming harder to isolate and prove the root source of compromise.
If we look at PCI-DSS, these standards focus on cardholder data to ensure information such as card number (PAN), PIN, CVV etc. are protected and encrypted at rest and that access management controls, PEN testing, patch management programs are in place. To be fair to PCI-DSS, they have never claimed to be the gold standard in security. They have always maintained that their rules are the minimum levels of security expected of merchants and payments processors.
However, in the field, I regularly experience a cry of foul when I make the suggestion that customer data to be protected should also include name, address, date of birth, email address - in fact, anything that can be useful to a potential hacker. The reason? It's not required as part of PCI so it is safe to store in the clear!!!
Fraud engines work on patterns of spending habits, geographic locations and trends. Depending on the algorithms employed, these have a varying degree of accuracy (if we look at the 2015 Payment Knowledge Forum conference presentations from Professor Bob John from Nottingham University and David Lock of Insider Technologies - Latest State of Machine Learning with Transaction Systems).
In theory, when a fraudster clones/steals your payment card and goes on a shopping spree, chances are these fraud engines will pick up an irregular pattern and invoke the fraud preventative controls to limit the damage. These engines work because of the irregular spending and the fraudster simply tosses that blocked card to one side and moves on to the next.
Now imagine this scenario....
Do you think all breaches are random acts of chance and opportunity? What if the hackers are more organised than you think? What if they have developed a data warehouse of compromised details/accounts/passwords, that they are quietly and patiently profiling data on your spending patterns, locations, goods and loans.
The fraudster can potentially match compromised details with a shopping list to maximise their return on compromised details. In turn this creates a bigger headache for the consumer - how do you distinguish a fraudulent transaction from one the customer has undertaken? How do they prove to their financial provider it wasn't their transaction? When this happens, fraud rules engines will require a major rethink to counteract this scenario or payments will have to evolve beyond the digits on your plastic.
This scenario has been one of my concerns since the late 90's with the advent of all things connected. Many think it would be a huge effort and require large scale co-ordination. Many think it far-fetched. However, what if I were to tell you that the foundation is already in place? Only this week, a Russian Hacker by the handle of Mr Grey was found sitting on 1.2 billion compromised accounts. Makes you think!
In summary, standards like PCI-DSS go a long way to help secure cardholder data but, in the financial world, the standard falls short in the operational context. All data that can be intelligently associated with a payment (whether it's a PAN, sort code, account number, name or address) must be encrypted. Passwords must be encrypted with additional salt to help obscure data more readily and online hash cracking dictionaries become redundant.
More importantly, what are your thoughts?
Make your thoughts known through our LinkedIn group