Mega-payment breaches may be quieting, but protecting cardholder data remains a challenge. Dan Kaplan reports.
Don't look now, but despite 2011 delivering an unending beatdown of headline-grabbing breaches, one type of data-leakage incident has been noticeably absent from the pile.
It wasn't too long ago that attacks on companies such as TJX, Heartland Payment Systems and Hannaford Bros. personified the hacker threat. The compromises resulted in the theft of hundreds of millions of credit card numbers and led to a significant amount of real-world fraud. CEOs apologized, customers sued and pundits disparaged. But another consequence also took shape: Many retailers appeared to get better at protecting cardholder data.
So, this year, as well-known organizations like Sony, Lockheed Martin, Epsilon and the CIA fell like tree branches in the path of a hurricane, brand-name retailers largely avoided the wrath of digital adversaries. Bob Russo (left), general manager of the Payment Card Industry Security Standards Council, praised the payment security guidelines that his organization manages.
“In my opinion, it is a signal that it is working,” Russo says. “The big fraud that you read about in the papers, the one that has the biggest impact, certainly is not there anymore. [The criminals] have moved along to other things.”
There is reason to believe Russo's hunch might be correct. According to Visa, 97 percent of the largest U.S. merchants, the 377 retailers that process greater than six million transactions per year, have validated compliance with the Payment Card Industry Data Security Standard (PCI DSS). Ninety-six of the 881 businesses that process between one and six million transactions also have attested to the rules.
“The days of somebody being able to do a real quick SQL injection and gain boatloads of data for most level-one merchants, I think those days are over,” says Jeff Hall, a PCI security assessor, who also writes the blog PCIGuru.com. “For the most part, organizations have encrypted the data, truncated it or recognized they don't need it anymore.”
Of course, PCI compliance doesn't guarantee security. Experts like to point out that maintaining compliance at all times is a difficult proposition. Validation is merely a snapshot in time, whereas true compliance is something that technically exists over time. But the numbers at least say something: Organizations have never taken PCI DSS more seriously than they do right now.
“I think for most large merchants, PCI is, at worst, a necessary evil and, at best, just a good thing that they went through to clean their act up,” Hall says.
Hall, though, admits he is mostly referencing the big gunners, who Visa says have only reached “moderate” levels of PCI compliance. And according to Verizon's “2011 Data Breach Investigations Report,” the smaller fish may provide the best targets these days.