When reports emerged late last week to suggest that one of the largest processors of Visa and Mastercard transactions had suffered a data breach, cardholders immediately assumed the worst. As Global Payments officials have come forward to tell their side of the story, it appears as though the company and its clients have likely sidestepped disaster thanks to intelligent network monitoring and swift intervention. But even as the firm must be commended for its prevention and resolution strategies, the incident has raised larger questions as to whether simply complying with the letter of the law is enough to adequately protect consumer data.
According to Global Payments, IT administrators were first alerted to the anomalous network behavior in early March. When security teams determined that credit card data may have been illegally accessed, the company immediately enacted prescribed protocol by self-reporting the breach to federal authorities and engaging with third-party computer forensic experts. Clients were then notified of the incident so they could minimize the resultant impact on their cardholders.
“It is reassuring that our security processes detected an intrusion,” Global Payments chairman Paul Garcia noted. “It is crucial to understand that this incidents does not involve our merchants of their relationships with their customers.”
As the investigation continued, company officials announced that the breach was confined to North America and fewer than 1.5 million cards could potentially be affected. While that is still a staggering figure, according to Forbes, it is just a small sample of the nearly 1 billion credit cards in circulation in the region – much less the world. Customers were also buoyed by the news that cardholder names, addresses and Social Security numbers were not obtained by criminals, and continuous network monitoring has suggested that the threat has been contained.
“We are making rapid progress toward bring this issue to a close,” Garcia added earlier this week. “Our nearly 4,000 employees around the world are focused on providing exceptional service. We are open for business and continue to process transactions for all of the card brands.”
In an age where cybercriminals need just a few minutes or even seconds to gather sensitive information or plant traps behind enemy lines, the company’s network monitoring and data security protections stood up to the challenge and may have prevented untold damage. Officials can also be commended for retaining transparency and seeking outside assistance to deal with a delicate internal matter. But while Global Payments is understandably eager to move beyond the controversy and continue business as usual, there are a few chapters left to write in this story.
For one, not everyone is impressed by the payment processor’s handling of the matter. Visa has since responded by removing Global Payments from its list of trusted Payment Card Industry Data Security Standard (PCI DSS) compliant service providers and requested that the company revalidate its prior credentials. As a result, CSO managing editor and at-risk cardholder Bill Brenner is one of many questioning the merits of the PCI compliance certification process.
“How on Earth were they designated PCI-compliant in the first place? What were the specific actions they took to improve security and how did they allow those safeguards to fail?” Brenner wrote. “How rigorous was the auditing process? Did the [investigators] put the processor through the wringer, or did they just casually saunter in, check off some boxes and move on to the next customer?”
While Brenner’s take on the matter may be a bit reactionary and hyberbolic – especially in light of the strides made by PCI DSS stakeholders in recent years and the amount of attention that was surely paid to a massive, multinational financial service provider – it does draw attention to the fact the compliance does not necessarily equate to security.
In a related Technorati article, former IT industry executive and compliance auditor Michael Peters drew back the curtain on the PCI DSS. Regulations mandate that any company that processes more than 6 million credit card transactions annually must independently hire auditors to review its operations. But in his experience, Peters found that the honesty, integrity and competence of qualified security assessors (QSAs) was “extremely subjective.”
“I can tell you with a straight face that I’ve never worked with a QSA who didn’t miss something crucial in their examinations, yet the client company receives a clean bill of health,” Peters wrote. “Most of these client companies are trying to do the best they can; after all, it is their business and reputation on the line.”
Peters went on to plainly state the PCI has at times bent to the pressure of business convenience and failed to evolve more progressive standards. For example, it is still acceptable to use a form of “antiquated encryption” that was proven vulnerable years ago. Such concrete examples give additional weight to the theory that inherently slower, more deliberate regulatory proceedings are simply not qualified to be the sole protector to consumer information in the current threat climate.
For instance, while some merchants are still struggling to achieve PCI compliance for the first time, data security insiders like Dark Reading‘s Ericka Chickowski are already speculating on high-level issues such as the progression beyond the knowledge-based authentication and magnetic stripe technology underlying all credit card transactions.
In the wake of the Global Payments breach, conversations in the security community have converged at the issue of authentication on either side of financial transactions. What’s more, there have been murmurs that the Global Payments incident could be connected to a larger plot.
In an interview with Chickowski, Gartner Research vice president Avivah Litan explained that confidential industry sources claim that “a Central American gang broke into the company’s system by answering the application’s knowledge-based authentication questions correctly.” There is also circumstantial evidence to suggest the events are related to a “yet-to-be-disclosed breach” of a New York City taxicab company.
As these and other international plots put consumer data in the crosshairs every day, it becomes even clearer that any one, static piece of regulation can only, at best, serve as the starting point in data protection strategies.
Security News from SimplySecurity.com by Trend Micro