Comments on: The Global Payments Breach

By: PCIGuru

PCIGuru — Fri, 06 Apr 2012 16:51:36 +0000

According to my friends in the forensic world, Visa’s statement that “No compromised entity to date has been found to be in compliance …” is rapidly coming to an end. While the majority of breaches are the result of PCI non-comliance, in the past year, I know of a few investigations that found that the entity in question was PCI compliant yet was still breached. Granted, the card brands are not happy with these results, but it does show that being PCI compliant is not the be all to end all. An organization really does have to go above and beyond the PCI DSS requirements to be secure and I am sure we will see that reflected in the PCI DSS v3.0.

By: Steve Sommers

Steve Sommers — Thu, 05 Apr 2012 23:03:26 +0000

This is almost the same comment I made on a related post in storefrontbacktalk.com as it applies here as well…

In the past, Visa has stated, “No compromised entity to date has been found to be in compliance with PCI DSS at the time of the breach. In all cases, forensic investigations have concluded that compliance deficiencies have been a major contributor to the breach.” This quote can be taken two ways. Either PCI is perfect and all-encompassing and compliance guarantees you won’t be breached; or there are so many “gotchas” in PCI that no one can escape non-compliance. I personally believe that PCI is written in such a way — and interpretations among QSAs vary so much — as to make it impossible for anyone to be 100% compliant 100% of the time. From the simple fact that Global was breached, PCI non-compliance was already a fait accompli. My hope is that someday the card brands, law enforcement, and the media will prosecute the hackers and thieves that are stealing the data as harshly as they prosecute the merchants, banks, and processors that are victims of a breach for non-compliance.

By: PCIGuru

PCIGuru — Wed, 04 Apr 2012 12:34:05 +0000

Pre- and post-authorization are very clearly defined, unfortunately, people forget to review all of the documents related to the PCI DSS such as the Glossary and the like.

However, in QSA and I would assume ISA training, until a transaction has been approved or declined, then we are in the pre-authorization phase and all cardholder data is allowed to be processed, stored and transmitted. Once the transaction has been approved or declined, then we are in the post-authorization phase and cardholder data that can be processed, stored or transmitted is restricted to only the cardholder name, PAN and expiration date.

By: PIN head

PIN head — Mon, 02 Apr 2012 17:54:24 +0000

It is interesting that you mention the post authorization aspect of the PCI DSS. A few weeks ago as I was preparing for a training presentation I had researched this by review of version 1.2 and version 2 of the PCI DSS. There is clearly a requirement about the prohibition of storage of track and other security data after authorization. However, it is not clear how the DSS applies to the authorization process. There is a statement that CDE does include the authorization process and the PA-DSS applies to the authorization and settlement process, but there are no clear statements on the security of cardholder data during the authorization. Could it be that this is purposely vague? Obviously there have been data breaches where the authorization transactions were sniffed and recorded, going all the way back to the Card Systems breach.

By: PCIGuru

PCIGuru — Fri, 30 Mar 2012 23:12:15 +0000

I am the first to tell anyone that security is not perfect.

This was the breach of a processor, so we need to know more about where in the transaction process any track data was obtained. If it was during the authorization phase, then there was no violation of the PCI DSS as it was still pre-authorization data. I know a lot of people do not like that, but those are the current rules. If it was post-authorization, then processor or not, there should not have been track data anywhere available.

While the card is part of the problem, the card processing issue did not become a problem until things were converted over to IP as the communication protocol. Prior to that, everything ran on communication protocols that were not as susceptible to attacks. IP is a wonderful, open communication protocol stack, but it is its openess that trips up security. Security issues have been found with everything as they convert from Bisync, DECnet or SNA/SDLC to IP. Data streams that were never worried about under their ‘proprietary’ protocols were now susceptible to all sorts of issues because IP is open and everyone can gain access unless controls are put in place.

At the end of the day, it is the card brands who push the infallibility of the PCI standards that cause companies to be tossed under the bus. The card brands refuse to admit that security is not perfect.

By: PIN head

PIN head — Fri, 30 Mar 2012 21:10:34 +0000

You may be reading too much into the “… compromised between Jan. 21, 2012 and Feb. 25, 2012″ statement. This is still very early in the public notification phase of the incident. It seems that there is no proper time to notify the public on breaches (or any other type of crime). If they wait until they have more information and evidence they are criticized of not making notification earlier. If they notify too soon, there is too much speculation and rumors. No matter what, our industry will no doubt throw Global under the PCI bus.

Some things for all of use to remember:

- Compliance with the PCI DSS mitigates the threat of a data breach, it does not eliminate it.
- Breaches will continue as long as the track data is so valuable, we should learn from these
events more then blame.
- The card brands continue to offer a very weak and susceptible payment product and continue
to rely on the acceptors of the product to invest to make the weak product more secure.