Global Payments Inc. of Atlanta, the credit card processing firm that was breached sometime earlier this year, couldn't keep hackers out of its system, but the firm's leaders seem determined to keep the press outside their public relations wall.
Since the breach became public March 30, the company has issued a general statement and set up a web page for customers and merchants.
But in a conference call with investors Monday morning, CEO Paul R. Garcia refused to take questions from reporters. A call from CSO seeking comment was not returned.
Garcia instead spent most of the conference call in self-congratulatory mode, saying that the company's own security measures detected the breach, that it notified law enforcement and card associations "within hours," and that so far there had been no fraudulent activity on any of the compromised cards.
This, says Bruce Schneier, chief security technology officer at BT, should be no surprise. "They are going to do what they think is best for the company," he says, acknowledging that trying to block media coverage might not be the best strategy.
He said the Tylenol case from 30 years ago, in which manufacturer Johnson & Johnson was unusually transparent with the press and public after somebody laced capsules with cyanide, "is a great example because it is so rare --(a case of) full disclosure and getting ahead of the story and irrational panic. But in the heat of the moment, that is not always what people do."
Independent security consultant James Arlen says his best guess is that GP wants to have, "a well-defined story to tell prior to letting anyone in. Essentially, it's cleaning up the crime scene to insure that only their version of what happened will come to light."
Security blogger Brian Krebs, who broke the story of the breach last Friday, reported that as many as 10 million cards may have been compromised, that sources had told him there had been fraudulent activity on at least 800 cards and that both Track 1 and Track 2 data had been taken.
But Garcia said during the conference call that the breach had occurred early in March, that 1.5 million cards had been compromised, and that only Track 2 data, which includes the card account number and expiration date, along with other data, had been stolen. He said the attackers did not get cardholder names, addresses and Social Security numbers. He characterized much of the reported information about the breach as, "rumor and innuendo, most of it incredibly inaccurate."
The information security community views that skeptically. Krebs wondered on his blog if Garcia was talking about two separate breaches.
Chester Wisniewski, senior security adviser at Sophos, says that at a minimum, Garcia "sounded evasive in his statements. If this is one incident, there is a bit of a smell about it." There will still be fallout for GP. Although it was certified compliant with PCI DSS prior to the breach, Visa announced over the weekend that it had removed the company from its registry of PCI DSS-validated service providers, pending its own forensic investigation.
Garcia acknowledged that the company would likely face fines from card companies and have to cover the costs of issuing replacement cards.
But Schneier says the good news for GP is that long-term damage is unlikely. "The data we have is that the effects are short-lived, both in how they affect customers and stock prices." Indeed, being PCI compliant is little more than a public-relations gold star -- a "low bar that is not enough to protect you," according to Wisniewski.
Arlen says in the real world, "it's very easy to be compliant without being secure and secure without being compliant. Equating security and compliance is like equating 'ability to drive' with 'correctly uses hair products.' Both are necessary for a great car commercial but there is no transferrable skill between them."
All three say it is possible that auditing of the firm's compliance was not rigorous enough. "There is no way to know for sure," Wisniewski says, "but the difference in auditors can be vast. They shouldn't just be checking boxes they should require proof that things are effective and doing job properly."
Arlen suggests following the money. "The client pays the auditor to produce a report. As long as the auditor is beholden to the client, the auditor is at risk of doing what is necessary to ensure the flow of funds," he says.
"What will be truly telling is the level of transparency from the card brands, the issuing banks and the affected processor itself," he adds. "If this is a transparent process that includes significant details about what mistakes were made and by whom, I will have my faith in humanity restored."
None of these experts see revisions of PCI as a magic bullet that will prevent similar future breaches.
"The only meaningful change is to change PCI from a regulatory notion to legislative control, which has significant criminal liability for the people behind the retailers, the card brands, issuing and acquiring banks and intermediaries such as processors," Arlen says.
Schneier contends that the calls for tighter PCI standards are practically irrelevant, because data breaches are so frequent and the details of each attack are "surprisingly unique," and by the time that vulnerability is addressed, the attackers are on to other methods.
There are, "probably a half-billion things (GP) could do," to improve its security, he says, "but I don't know what the top two or three would be. There is no fast answer."