The Religion Of Payment Security

As my first introductory post here on CSO Online, I thought I would cover a topic I spend a lot of time dealing with and discussing, online payment security and ecommerce. Payment security, in particular PCI, tends to be a controversial and religious topic among security professionals. If you ever want to sit back and watch a very spirited debate amongst this crowd, just throw out a comment on PCI, web application firewalls, or vulnerability disclosure on any of your favorite message boards, blogs, Twitter, or other social media and watch the fireworks ensue!

This post is not meant to fuel the arguments around payment security but rather direct our readers to some of the more constructive initiatives going on in this field. The Payment Card Industry Data Security Standard (PCI DSS) was put in place a few years ago to give merchants and service providers a security standard to protect cardholder data through transmission, storage and processing. While this standard itself along with the governance around it has been much the center of controversy, most believe this is still a security improvement over the lack of guidance or central standards prior to its publishing. The most recent Verizon Data Breach Investigations Report (DBIR) which covers some statistics around the breach of 285 million records in 2008, points to common mistakes made that often result in breaches. According to the report a large majority of these breaches occurred amongst organizations that weren't in compliance with the PCI DSS. While I think we could infer that if PCI compliance were more commonplace amongst merchants and service providers, this would certainly result in an incremental improvement in payment security, it would NOT eliminate the fundamental problem or root cause of cardholder data breaches.

In order to address our root cause we need to look at what we are trying to protect and why. Taking a step back and looking at the payment card system, one glaring issue sticks out with me, shared secrets. Ultimately, we are taking a small amount of data such as card account numbers, expiration and issue dates and creating a very large shared secret. During the life of a card, this secret is shared with hundreds if not thousands of merchants, service providers, and banks. It only takes one amongst the thousands to have a security slip in order for this data to be breached.

In order to address the fundamental problem, we must remove the value of this data, not rely on traditional security in-depth measures and hope for the best. There have been several initiatives under way that move in this direction including methods such as Single Use Credit Cards, one time pins, etc. I recently contributed a chapter to O’Reilly’s Beautiful Security going in to much greater detail on these issues as well as some ideas on how to resolve them and encourage our readers here to go check it out.

How You Can Help

While some of the shared secret problems are being worked on, there are other initiatives in place that are moving us more to a “Security First” mindset. A term I am stealing from Anton Chuvakin. One of these projects is the newly formed OWASP PCI project. We will be spearheading a number of web application security projects that continue to move payment security in a positive direction. Please come join us and contribute to this very important project and I look forward to continuing to elevate the conversation here at CSO Online.

Copyright © 2009 IDG Communications, Inc.

Subscribe today! Get the best in cybersecurity, delivered to your inbox.