Mega-payment breaches may be quieting, but protecting cardholder data remains a challenge. Dan Kaplan reports.
Don't look now, but despite 2011 delivering an unending beatdown of headline-grabbing breaches, one type of data-leakage incident has been noticeably absent from the pile.
It wasn't too long ago that attacks on companies such as TJX, Heartland Payment Systems and Hannaford Bros. personified the hacker threat. The compromises resulted in the theft of hundreds of millions of credit card numbers and led to a significant amount of real-world fraud. CEOs apologized, customers sued and pundits disparaged. But another consequence also took shape: Many retailers appeared to get better at protecting cardholder data.
So, this year, as well-known organizations like Sony, Lockheed Martin, Epsilon and the CIA fell like tree branches in the path of a hurricane, brand-name retailers largely avoided the wrath of digital adversaries. Bob Russo (left), general manager of the Payment Card Industry Security Standards Council, praised the payment security guidelines that his organization manages.
“In my opinion, it is a signal that it is working,” Russo says. “The big fraud that you read about in the papers, the one that has the biggest impact, certainly is not there anymore. [The criminals] have moved along to other things.”
There is reason to believe Russo's hunch might be correct. According to Visa, 97 percent of the largest U.S. merchants, the 377 retailers that process greater than six million transactions per year, have validated compliance with the Payment Card Industry Data Security Standard (PCI DSS). Ninety-six of the 881 businesses that process between one and six million transactions also have attested to the rules.
“The days of somebody being able to do a real quick SQL injection and gain boatloads of data for most level-one merchants, I think those days are over,” says Jeff Hall, a PCI security assessor, who also writes the blog PCIGuru.com. “For the most part, organizations have encrypted the data, truncated it or recognized they don't need it anymore.”
Of course, PCI compliance doesn't guarantee security. Experts like to point out that maintaining compliance at all times is a difficult proposition. Validation is merely a snapshot in time, whereas true compliance is something that technically exists over time. But the numbers at least say something: Organizations have never taken PCI DSS more seriously than they do right now.
“I think for most large merchants, PCI is, at worst, a necessary evil and, at best, just a good thing that they went through to clean their act up,” Hall says.
Hall, though, admits he is mostly referencing the big gunners, who Visa says have only reached “moderate” levels of PCI compliance. And according to Verizon's “2011 Data Breach Investigations Report,” the smaller fish may provide the best targets these days.
“The report notes there are several possible reasons for this trend, including the fact that small- to medium-sized businesses represent prime attack targets for many hackers, who favor highly automated, repeatable attacks against these more vulnerable targets, possibly because criminals are opting to play it safe in light of recent arrests and prosecutions of high-profile hackers,” according to Verizon.
Or when it specifically comes to stealing credit card numbers, the attackers may be finding it harder to get to the giant stashes. Much of the criticism dealt the PCI standard has been that it is all about passing an audit and not achieving a continuous level of security. While that is not necessarily the case – the standard lists tasks that need to always be done, not just in advance of an audit – a number of technologies have emerged that may reduce the scope of compliance because they significantly diminish the presence of card data.
A Gartner survey of 77 retailers completed earlier this year found that more than half are using or expect to use tokenization (when a card number is replaced by a unique identifier) or end-to-end encryption (when data is cloaked between the source and the recipient). But the technology that may gain the most adoption is EMV, commonly referred to as chip-and-PIN.
For one, an international standard for EMV already exists. But more significant, Visa offered a serious boost in August when it announced an incentive plan for merchants to migrate their terminals to accept EMV contact and contactless chip payments.
Under Visa's Technology Innovation Program (TIP), which takes effect Oct. 1, any merchant required to annually validate its compliance with PCI DSS is off the hook if it can show that at least 75 percent of its transactions originate from chip-enabled terminals. A number of analysts believe the other major card brands soon will sign on with similar initiatives.
“We want to reduce the burden, the risk and the need to protect static data in the payment system,” says Eduardo Perez, who leads the Global Payment System Security group at Visa.
But he reiterates that the card acceptors must remain PCI compliant, in addition to not storing card track data and PINs. Issuing banks, meanwhile, are lured to provide customers with chip cards thanks to a liability shift set to commence Oct. 1, 2015. On this date, under the Visa program, merchants will be responsible for any counterfeit fraud, which occurs when criminals are able to create duplicate cards by “skimming” the data found in the magnetic stripe. In the past, banks largely absorbed the costs associated with this type of fraud.
EMV technology effectively replaces the need for a magnetic stripe because a microchip is embedded into the card, corresponds to a PIN, and is virtually impossible to clone. The U.K. has had great success with EMV, and this year, the U.K. Cards Association reported that credit card fraud fell 17 percent to $592 million, the lowest level in a decade.
Of course, criminals won't stand idly by as security improves. Instead, the fraud will migrate to another channel, such as card-not-present transactions conducted over the web, which EMV can't protect against, say experts.
And given the challenges crooks are running up against with measures such as tokenization and point-to-point encryption, they also are scurrying to find new and effective ways to steal the card numbers in the first place. One area of growing concern is skimming. According to the Verizon report, physical attacks in which credit card devices, such as ATMs and point-of-sale terminals, are manipulated to capture the card number as the card is swiped doubled again in 2010, after also doubling the previous year.
“Now the endpoints become the target because in between the data stream becomes encrypted,” Hall says. “You have to gather the cardholder data at the start of the process, which means you have to doctor the terminal.”
The craft-store chain Michaels was a victim of arguably the most notable retail breach this year, not because of a vulnerable wireless connection or flawed website, but because thieves were able to implant skimming devices on terminals in 80 stores across 20 states. Incidents such as this, according to experts, not only raise concerns of on-premise terminal manipulation, but also the possibility that tampering might occur somewhere along the supply chain.
Russo points to the PCI Council's Payment Application Data Security Standard (PA-DSS) and PIN-Entry Device (PED) benchmarks, which provide best practices to protect against skimming. The council also offers a list of trusted hardware and software providers.
In the end, no defense is unbreakable, Russo insists. That's why organizations must continue to follow all of the guidelines the council dispenses. While organizations are getting a better handle on technologies like encryption, they're still falling short in other areas, including patch management and network segmentation, according to Gartner. In fact, Visa says, most merchant breaches reported in 2010 involved card data outside of the payment network environment. Such a scenario adds weight to Russo's message.
“There are no silver bullets,” he says. “The more layers you could put on, the better off you're going to be.”
Mobile payments: Empower merchants
While a push by Visa to spread adoption of chip technology could lead to increased levels of security and fewer compliance headaches for merchants, the world's leading card brand isn't being entirely selfless.
Visa hopes its newly announced Technology Innovation Program (TIP) will give a shot in the arm to mobile payments, considered its next-generation business model.
“Their motivation has always been to make sure Visa was in the front slot of your wallet,” says Tony Bates, president and CFO of San Jose, Calif.-based PSC, a payment compliance assessor and scanning vendor. “If people want to pay using their mobile phone, Visa is going to be there too, trying to do it as securely as possible.”
Analyst firms place the value of the mobile payment market this year at an estimated $240 billion. Much of the value, which includes both purchases conducted over the mobile web and also payments made with a mobile device at a point-of-sale terminal, currently is derived from Europe and Asia-Pacific.
But if the TIP program takes off in the United States, those numbers surely could rise. In January, Starbucks, for example, launched mobile payments in all of its U.S. stores. Customers download a mobile application, which contains a barcode, and they can pay simply by holding their mobile device in front of a countertop scanner.
Sensing that more retailers will adopt such initiatives, the Payment Card Industry Security Standards Council offered an update in June on which types of mobile payment apps meet its requirements. Further guidance is expected.
But, PSC's Bates predicts the card brands will be challenged to change user behavior. “Having just lost my iPad, I'm not sure I want my credit cards on it,” he says. “For a 60-year-old like me, there is nothing wrong with plastic.”
– Dan Kaplan