The latest data security breach to strike MasterCard and VISA has security experts focusing anew on the good and bad of PCI DSS. On one hand, the standard offers a clear blueprint on how to handle such a breach. On the other hand, compliance is usually not the cure, as this latest incident demonstrates.
"While the scope and details of the attack are not yet known, it shows three years after the Heartland Payment Systems breach of 130 million credit card numbers that credit card data is still vulnerable," said Neil Roiter, research director at Corero Network Security. "The Payment Card Industry Data Security Standard (PCI DSS) is highly prescriptive in nature, but simply complying does not ensure credit card security. Companies that rely on PCI DSS to solely dictate their security measures will continue to remain vulnerable to attack."
As many as 10 million users of VISA and MasterCard may have had their card numbers compromised in what sources in the financial sector are calling a "massive" breach of a U.S.-based credit card processor.
The news was first reported this morning by Brian Krebs in his KrebsonSecurity blog.
Ted Julian, chief marketing officer of Co3 Systems, a data loss management firm, estimates the potential liability for a merchant with 1 million cards compromised could top $1.6 million from compliance fines alone.
Krebs said the two credit card firms issued non-public alerts last week to banks about specific cards that may have been compromised in a breach of the so-far unnamed processor between Jan. 21 and Feb. 25 of this year.
"Affected banks are now starting to analyze transaction data on the compromised cards, in hopes of finding a common point of purchase," Krebs wrote. "Sources at two different major financial institutions said the transactions that most of the cards they analyzed seem to have in common are that they were used in parking garages in and around the New York City area."
In an interview this morning, Krebs said the fraudulent card use, "seemed to be tied to gang activity in New York City, but I haven't heard that from more than one source."
In the grand scheme of credit card breaches, this one does not come close to topping the list -- the Heartland Payment Systems breach in late 2008 involved more than 130 million credit and debit cards and about 175,000 merchants.
But it illustrates once again how vulnerable such systems are to attack.
Anup Ghosh, founder and CEO of Invincea, a developer of browser protection systems, says too much of the security industry is still stuck in the 1990s. "Those protections," he says, "are very easy to circumvent today. Most systems are about telling you what happened after the fact."
Ghosh says the card data was probably encrypted, in compliance with the Payment Card Industry Data Security Standard.
"But compliance as a way of regulating security is equal to complacency," he says, noting that the weak link today is not necessarily the technology, but "Layer 8," the human layer.
"If I target employees, which is how you target these days, it is not very hard in phishing campaigns, to get employees to open an email or click on a link, which then provides access to their desktop and the privileges that come with it," he says. And in that case, "Encryption is worthless."
Ghosh says the way to deal with modern attacks is to, "stop depending on employees to make the right decisions.
"We say put the employee in a bubble -- a safe, virtual environment. Then, when they're clicking on those links, they don't give away keys to the kingdom. They just corrupt a virtual environment, which actually produces intelligence for you. What you get is pre-breach forensics."
Given the present reality, however, Julian says retailers affected by the recent breach have to move quickly to comply with PCI DSS standards, to "notify consumers and brands in a timely fashion. Forty-six states have laws on the books to notify consumers if credit card information was put in harm's way. So they're scrambling to find out if they were compromised, and then they have to adapt it to the state matrix."
In an assessment model he created, Julian's list of "minimum recommended actions" includes notifying one trade organization, five state attorneys general, and 900,000 consumers in nine states, telling the credit agency of 600,000 exposures in six states, notifying local media in two states, providing other general notification and notifying five special offices in three states.
Merchants can minimize or even eliminate those fines by complying with the laws, he says, but if they don't, "they can really add up. In the (2005) ChoicePoint breach, $15 million of their $41 million in costs were from fines. And with the changes in the law since then, the fines would be much more today.
For consumers, Krebs says it doesn't make sense to demand a new card, but simply to monitor their card activity online for any suspicious transactions.
"Consumers are not on the hook for fraud charges, provided they report unauthorized activity. Having to deal with a new card can be disruptive and time consuming," Krebs says.