EPX

In this multi-part article, EPX Chief Security Office Matt Ornce comments on the payments security happenings of 2009 and looks forward to 2010.

Evolving Pragmatic Approaches to Payments Security – Part 2 of 2

What’s In Store for 2010 and Beyond

The key payment security events discussed above offer some direction for trends that are likely to continue into 2010 and indicate new areas that will gain prominence.

The well-publicized and continuous stream of data breaches that came to light in 2009 has forced merchants, solution providers, standards organizations, and the card brands themselves to begin taking a more pragmatic approach to payment security. Beyond the actual costs associated with fines, lawsuits, card replacements, and security upgrades, merchants are learning that damaged reputations, negative publicity, and loss of business also have deep and sometimes unsurvivable bottom-line impacts.

A growing recognition of these potential data breach costs has led merchants to challenge the status quo of slowly developing regulations and conventional technologies that together have not been enough to stem the data breach tide. As a result, increasing numbers of merchants are seeking new solutions that materially protect their data.

Increased Focus on Smaller Merchant Compliance

While the number of credit card numbers breached per month has generally been trending down in 2009, there’s no reason to suggest that the total number of breaches will subside any time soon. As larger entities have shored up their defenses, increasingly smaller entities are being directly targeted.

PCI compliance is required for all entities that store, process or transmit cardholder data, and regulatory and risk awareness continues to grow and roll downhill to smaller merchants, who, according to Visa statistics, make up 99% of the merchant base and account for roughly one-third of all transactions. Current PCI compliance deadlines, fines, and threats of loss of processing privileges focus on Level 1 and 2 merchants, but it’s natural to assume that the smaller Level 3 and 4 merchants are next. Several acquirers have already begun to fine their noncompliant Level 3 and 4 merchants in an effort to push them into compliance.

Increased Legislative Threats

Is 2010 the year for state level breach notification laws to be aggregated into federal law? Probably not, but it’s coming, and might actually be a welcome piece of legislation for those organizations who unfortunately need to struggle with the 46 different state laws. Such legislation could also help streamline the current time-sensitive notification process.

Beyond the financial fraud perpetrated for personal gain, the use of breached cardholder data as a funding source for terrorist activities has been clearly established by the Criminal Division of the Department of Justice, the FBI, the U.S. Secret Service and others, providing a clear impetus for federal regulation of cardholder data security.

Continued Challenges to PCI DSS

The PCI DSS will continue to see its share of challenges. As threats continue to evolve and new technologies surpass the standard’s effectiveness, the PCI DSS’s ability to keep pace will be questioned. Certainly, it’s a delicate balance between deploying new standards faster than the market can bear, and reacting slower than the threats evolve.

New technologies and new threats will always be ahead of the pace of regulation. The PCI Council’s investigation into technologies that help merchants achieve compliance and protect the payment system is certainly encouraging, but the codified results of the PWC study may not be seen for another 12 to 24 months. Meanwhile, the market will inevitably continue to evolve, maturing existing technologies and developing new. The council needs to find the means to distribute guidance faster, even if it’s through the use of best practice bulletins, like Visa’s, that can be issued quickly and eventually adopted into the DSS as requirements.

Until standards for the new technologies are sanctioned, there will be a greater reliance on merchants and QSAs to understand the differences in implementations and their implications on cardholder data security.

Mainstream Acceptance of New Technologies Currently Outside of PCI

With increased security risks and pressure to comply with PCI, merchants will flock to solutions that remove cardholder data from their environments in even greater numbers in 2010. Even though many of the technologies have existed for years, they were considered fringe players until only recently. Compounding the issue, especially with tokenization, has been a flood of new vendors to the space, which has created an impression that the entire field is populated with products that are only months old.

While planned product announcements by larger industry players like First Data, RSA, Hypercom and others may help legitimize these technologies, announcements won’t help merchants against current threats or regulation. Merchants will continue to seek the vendors already in the space and will now be able to gauge them by the guidance provided in the PWC Technology Review and Visa DFE-BP. The Visa DFE-BP especially helps merchants make more informed decisions about tokenization and E2E. Early adopters have already seen the benefits of each of the aforementioned technologies in reducing PCI DSS scope and improving cardholder data security.

Combining Technologies

The preliminary PWC findings suggest that E2E and tokenization can each reduce PCI scope when they are implemented independently of each other, and Visa’s best practices illustrate that they can be combined to even greater effect. As individual technologies become more mainstream, merchants will recognize even greater cardholder data protection from the hybrid solutions.

End-to-end encryption and tokenization are complementary technologies that provide protection for a different part of the transaction, as hinted at in the Visa DFE-BP. E2E, of course, protects the request portion of the POS transaction by encrypting track data from the swipe to the processor. Tokens provided in the response portion of the transaction provide protection “for business processes that requires the primary account number to be utilized after authorization, such as processing of recurring payments, customer loyalty programs or fraud management.” Used together, merchants dramatically reduce their risk without necessarily impacting their customers’ checkout experiences.

In ecommerce, outsourcing the page that takes cardholder data, in combination with using tokens, is another way technologies can be combined for even greater security. Merchants will reduce risk and PCI scope by eliminating card numbers in their processing systems with cardholder data being taken directly from the consumer and given directly to the PCI-compliant outsourced provider. Depending on the solution, they may still be able to maintain full control over their customer’s checkout experience without taking cardholder data.

Clarification of Technologies

The Visa DFE-BP provides an excellent starting point for best practices regarding E2E and tokenization implementations, but the PCI Council does not currently plan on providing definitive guidance on the topic until late 2010. To assist the PCI Council in establishing guidelines, I have submitted the following points as minimum goals for E2E and tokenization deployments:

• New methodologies must be vetted for security and practicality, which can take years to certify. However, the reapplication of existing standards, such as TDES and DUKPT, is a legitimate strategy to reduce or eliminate this delay.
• Encryption must start at the swipe reader. Anything beyond that point opens an area of vulnerability for the merchant.
• The endpoint, from the merchant’s perspective, must be at least the next upstream provider. The farther upstream the data can stay encrypted, the better it is for the security of the entire payment industry. At the very least, the data should be kept out of plaintext at the merchant’s location.
• Merchants cannot have access to E2E encryption keys. Granting them access to the keys would defeat the purpose and value of encryption within the merchant environment and would throw PCI key management requirements back to the merchant.
• Tokens should have no relationship to the card numbers they protect so that they cannot be reverse engineered. (Format-preserving encryption is in this category, and should therefore be avoided.)
• Merchants should allow providers to generate tokens. If tokens are generated in-house, then corresponding card data must also be kept in-house, which defeats much of the merchant benefit of tokenization. In such a scenario, merchants are still responsible for data protection and liable for data loss. They would see no regulatory relief or PCI scope reduction.

Conclusion

While the influential payment security events of 2009 have caused some instability and uncertainty in the payments industry, we need to view the events and the lessons learned from them as opportunities for solution providers to further define and shape the industry in 2010.

Discussions of best practices and PCI DSS revisions are constructive, but it’s not enough to merely talk about change. The marketplace needs solutions today. It is incumbent upon us to offer our support and guidance to the PCI Council and card organizations with hopes that we can bring about positive change in the near term.

Likewise, in 2010 we will see the true innovators in payment security continue to deliver powerful and proven solutions to the marketplace, while the announcements of planned products get lost in the shuffle. As merchants continue to gain knowledge about data breach risks and PCI compliance, they will become savvy in recognizing technologies that are nothing more than promises or vaporware, and they will move toward accepting solutions from providers with proven track records.

MATT ORNCE is the CSO of Electronic Payment Exchange, and has more than 20 years experience in IT, payments and security.