Okay, I just had to get more of my two cents into what is turning into a debacle. Linda McGlasson posted the latest swipe at the PCI DSS in her blog titled ‘The Agency Insider’. The blog entry is titled ‘Is PCI the Humpty Dumpty of Information Security?”
The first quote that I want to discuss is one from an ‘unnamed security expert’. According to Ms. McGlasson, “PCI, according to an unnamed security expert at a financial institution, is “clearly not good enough to defend against the sophisticated attacks we are experiencing.” The use of clear text card data on any network is just asking for trouble, my source says, but under current PCI requirements it is allowed provided the network is private, i.e., not connected to the Internet.” First, I have a problem with any ‘expert’ that goes unnamed. If you do not or cannot have your name associated with a quote, then you just should not be quoted.
The next issue I have is the use of the word ‘sophisticated’ regarding these attacks. Based on the facts publicly available regarding the Hannaford, Heartland and RBS WorldPay breaches, I do not think the word ‘sophisticated’ is justified. In the case of Hannaford, it appears that someone created a ‘doctored’ server image that contained the malware and then substituted that image for the good image. That took a lot of sophistication – NOT! In the case of Heartland, somehow a Trojan was inserted in their network. Given the ease with which Trojans are inserted into networks every day, I am not sure I would necessarily call that sophisticated either. The RBS WorldPay attack appears to be the same as the Heartland attack, but I have not seen enough specifics about it to say it too was a Trojan infiltration. In the end however, I am guessing that none of these attacks were particularly sophisticated.
Ms. McGlasson’s so-called ‘expert’ apparently does not have a clue about what is going on out in the ‘real’ world. Why? Because even if encryption had been implemented between the devices ala Kerberos, VPN, etc., these attacks would have succeeded as the attackers would still have had access to the data that they sought – encrypted network or otherwise. So, I am really suspect of her unnamed ‘’expert’.
Finally, on this topic, we need to split a PCI DSS hair here, so to speak. What we have been talking about at least for the Hannaford breach is pre-authorization data. Guess what? The protection of cardholder data pre-authorization is not covered by the PCI DSS. Why? Because there are so many variations on how pre-authorization is performed. Airlines and hotels can hang onto cardholder data for days, weeks or months until a flight is flown or a hotel stay is completed. When you purchase gasoline, the dealer can have your card for pre-authorization from the time you swipe your card until you complete filling your tank. In the end, the card brands and the PCI SSC have told merchants to treat cardholder data that they have pre-authorization just the same as they do post-authorization only even more securely as pre-authorization data typically includes even more sensitive data than post-authorization. Formal security standards for pre-authorization data from the PCI SSC have been in the works for the past two and half years and are expected to be released sometime this year.
The next quote that drove me over the edge was related to Chip and PIN. Ms. McGlasson states, “After looking at what other countries are doing with “chip and PIN” technology to cut fraud, such as all of Spain’s merchants agreeing to use chip and PIN, even Clarke came to the conclusion that the US is behind on technology.” When are people going to do some real research and find out that Chip and PIN has its own issues (see my post on Chip and PIN)?
Chip and PIN was developed to fight face-to-face transaction fraud, not the crimes that the PCI DSS is trying to address. The PCI DSS is addressing fraud that occurs after a transaction has been processed and data has been stored in a database or file on a computer system. Chip and PIN shares the same type of back end processing infrastructure as all other credit cards, so Chip and PIN is not an answer to the Heartland and RBS WorldPay sorts of breaches. Moreover, what is doubly worse is that, while Chip and PIN could secure online transactions much better than they are today, the card brands have not published standards for implementing online security with Chip and PIN. So, online transactions are not any better protected with Chip and PIN than with any other credit card.
To address the pre-authorization issue, the only encryption solution that will ever reduce the risk to transactions is to encrypt the transaction from the card itself to the processor. This is likely where Ms. McGlasson thinks Chip and PIN comes into the picture, but she did not articulate that very well in her post. What needs to be done is to ensure that from the terminal to the processor, the data stream is fully encrypted. This will create some potential issues with some integrated POS solutions, but I am sure the vendors of those solutions can work that out. This will also likely result in some standard APIs for credit card processing which will be a good thing. Standards usually get a good vetting and are typically quite good at addressing the known issues once they are published.
I really wish these pundits and so called ‘experts’ would know what they are talking about so that we could move on to securing the data. Nevertheless, it looks like people like me will have to continue debunking the statements that they keep tossing out there.
PCI Guru 