By: Charles Crawford
In a by-lined piece published in cio.com, well-respected security expert and author Ben Rothke wrote “…people don’t want to invest in long-term security plans. They want their security band-aid now, despite the fact they have never built security into their designs or processes.” He went on to praise the PCI Security Council’s vision: “The genius of the PCI DSS (and when PCI is compared to regulations such as SoX and GLBA, genius is indeed an appropriate term) is that it has sensible concepts such as an open formal feedback process, trend analysis, impact evaluation, guidance and much more built into the very fabric of the standard.”
I find myself usually agreeing with Rothke’s well-reasoned perspectives. Indeed, it is especially easy to agree that businesses should have a culture that promotes holistic security, must not consider compliance an end unto itself, and that the processes of security must evolve ahead of the threats.
Where I take issue with Rothke’s article, “PCI Debate Ignores Planned Improvement Cycle,” is in the apparent limitation of his perspective to traditional security remediation solutions. If the path to sufficient cardholder data security certainty can be achieved only through ratcheted, ever-more-effective and pervasive layers of encryption, firewalling, intrusion prevention and other hardening, then I suppose Rothke’s point is well taken, albeit worrisome. What follows logically is that merchants should “man up” and embrace a future of never ending “improvement cycles” that require lots of money, effort, time and discipline (notably external discipline) in their quixotic journey toward “breach-proof” data.
What is taken too lightly is the role innovation already is playing. Less costly and pragmatic ways of avoiding data compromise are fast gaining acceptance as viable alternative among recession-weary merchants.
The PCI Council got it right when they set as milestone #1 of their Prioritized Approach to Pursue Standard Compliance “Remove sensitive authentication data and limit data retention.” EPX, for one, provides merchants a pre-emptive solution with exactly that purpose: total elimination of cardholder data from merchant systems so that it can’t be lost or stolen.
Conventional thinking is for merchants to use matrix of remedial techniques, gambling that the data they hold will so be perfectly sequestered and disguised it might not get compromised – at least, if everything works as planned and criminals don’t get any more clever.
EPX, on the other hand, concluded that the surest way to avoid data loss is for the merchant never to have the data in the first place. Instead of keeping card data, EPX merchants operate normally using GUID transaction reference codes called BRICs. BRICs are used as card numbers would otherwise be, for transaction receipts, customer service returns, refunds, chargeback responses, follow-on purchases and all other operational and financial purposes. BRICs are not encryptions and not derived from credit card numbers, therefore have no street value if lost or stolen from the merchant.
For EPX, tokenization comes as no band-wagon initiative like we now are seeing from Paymentech, First Data and others. In fact, EPX started routinely processing with “replacement values codes” in 2001 …three years before the first PCI Standards were published. Our processes evolved over the years into the comprehensive, patent-pending suite of cardholder data security technologies we now call BuyerWall™.
As the Council and many others have said, there is no “silver bullet,” no single solution – even tokenization. We make no claim that EPX BRICs are such. Yet, properly constructed and managed tokenization also is no “band-aid” that Rothke so wisely mocks. When the card numbers are gone, they’re gone. There’s not much left for the merchant to safeguard. And, once implemented, EPX requires no extraordinary “improvement cycles” or investments to maintain the security of the data. In fact, security of the data becomes a responsibility for which EPX is well prepared, since, as a processor, we have always had to take special care with data and are subject to the PCI SCC’s most rigorous compliance requirements (Level 1).
Is it so, that “people want their…security now No doubt about it. But, I say “why not?” Merchants deserve pragmatic solutions that can achieve even a higher standard of security without costly and cumbersome techniques that may or may not ultimately prove effective enough.
Rothke says there is genius in the PCI’s process of ever-evolving standards. I think their real genius of the Council is its professed technologic agnosticism which, generally, is supposed to allow merchants to achieve card data security with whatever technology and processes work best for them. In that spirit, merchants have more to choose from than Rothke seemed to acknowledge.
—————————–
Charles Crawford is EVP of Strategic Development for EPX
[1] http://www.cio.com/article/495093/PCI_Debate_Ignores_Planned_Improvement_Cycle?taxonomyId=3000; June 2009
BJs, Heartland Got Off the Hook Legally, but Lost in the Court of Public Opinion
Tuesday, December 22nd, 2009By: Chuck Crawford
On December 11, the Massachusetts Supreme Court dismissed a class action suit by dozens of credit unions against BJ’s Wholesale Club. BJ’s, based in Framingham, MA, has more than 8 million consumer shopping club members. The plaintiffs were claiming substantial damages after more than 8 million of its credit cardholder records were compromised in 2004. They maintained that BJ’s was negligent in not adequately safeguarding customer credit card data.
Two weeks before the BJ’s decision, a New Jersey district court judge summarily dismissed a class action suit by shareholders and others against Heartland Payment Systems, Inc. Heartland is a NYSE-listed provider of merchant credit card processing that had as many as 130 million credit card records compromised in late 2008 – making incident the largest credit card data breach in history. The complaint claimed that Heartland had publicly misrepresented the level of its data security diligence leading up to the incident and should have done more to prevent the exposure of data.
The dismissals appear to be based largely upon narrow legal arguments, such as whether the plaintiffs had proper standing to bring such an action, and whether tangible damages could be proven. In both decisions the courts concluded that, despite their loss of data, the companies had not publicly misrepresented their level of diligence in protecting cardholder data entrusted to them.
While the courts’ actions were decisive legal victories, and set precedents in the tort community foretelling that such class actions claiming extraordinary damages from breaches might not be so easy to prove in the future, otherwise the litigations were somewhat anti-climatic and beside the point.
In the higher court of public opinion, BJ’s and Heartland, TJX, Hannaford Brothers Supermarkets and the dozen other major credit card breach targets of the past decade already had been sentenced to a lost measure of hard-earned brand reputation from the moment their breaches were disclosed. The degree to which the public trust dissipates when there is a breach varies depending upon the size of the breach, the nature of the business and the deftness of each company’s response to the crisis. Are these companies cast as victims of a crime, or – by lax security misfeasance – unwitting accomplices?
A company’s reputation has a value far beyond quantitative dollar damages. That is why, especially, merchants that trade on trust– such as insurance companies, banks, lenders and other payment services – are often looking beyond the arguable validation of safety that comes with Payment Card Industry Data Security Standards compliance. Instead, they are more concerned about finding a virtually fool-proof way to prevent a data compromise whether or not it is beyond the PCI guidelines.
As long as cardholder data remains in the merchants system in any form, encrypted or not, there is some chance of accidental or malicious data compromise, especially when the data, or the decryption codes to the data, are “in motion” traveling between servers, databases and parties.
On the other hand, tokenization, like EPX’s patent-pending BuyerWall™ suite of card data replacement code technologies, offers merchants as close to absolute reputation protection as is possible today. With BuyerWall, at-risk card numbers never reside in a merchant’s IT systems in the first place; there is nothing of value to be lost or stolen. At-risk cardholder data is substituted with BuyerWall ‘BRIC” transaction reference codes. BRIC codes (sometimes referred to as “tokens”). BRICs are safer than encryptions because they i) are not derived from credit card numbers and ii) the original data is not kept in the merchant’s environment. The sensitive card data is vaulted safely in EPX’s ultra-secure environment – subject to the most rigorous PCI external auditing and other requirements.
As it happens, elimination of card data through tokenization also greatly simplifies PCI compliance and remediation by taking most of a merchant’s card data topography effectively ‘out of scope.’ But, for the many merchants focused on brand risk more than arbitrary rules or security costs, it is the near certainty of data security that can come the absence of card data that gives C-level executives and directors one less surprise to worry about at night.
Tags: BuyerWall, credit card processing, credit card processor, data breach, Data Breach Notification Act, Electronic Payment Exchange, end-to-end encryption, EPX, PCI compliance, tokenization
Posted in EPX Commentary | No Comments »