Behind the cracks and attacks exposed in the mounting data breaches of the last year, reams of compliance measures and regulatory standards were introduced to keep such disasters from happening in the first place. Even as Home Depot began to own up to one of the largest data breaches in recent memory, the PCI Security Standards Council was meeting to hash out new recommendations that probably wouldn’t have done much to stop that breach. As this council carries clout with security programs connected to everyone from your local lumber seller to nearly ever address on Wall Street, it’s worth taking a look at its new suggestions in the broader data security landscape.
Compliance should never be confused with security. And, in fact, compliance often gives businesses a false sense of security. This is one of the great ironies of information security: Without standards and best-practices, the world would be a very dangerous place. With them, we feel secure when we should not, exposing ourselves to even more attacks.
Part of the council’s September meeting discussions in Orlando, Fla., focused on recently released updates to guidance on skimming, the process of ripping data directly from point-of-sale (POS) machines and infrastructure. For the council, and its hundreds of member organizations -- including the major credit card providers and most retailers -- the updates focused on education at the retailer level. Their report, “Skimming Prevention: Best Practices for Merchants,” speaks to common targets and new attack vectors, including data capture via malware or compromised software, as well as overlay attacks leveraging technological advances in 3D printers and attacks on EMV chip cards. Sounding the alarm on these threats and raising awareness generally among merchants are part of the good work the council does -- but skimming will remain a common attack for years to come.
Security beyond standards
Encryption is only one aspect of data protection. Enterprises must also understand where data originates and ensure that it is not altered in any way. In the years ahead, authentication, non-repudiation, and integrity advocacy through digital signing would be a big step forward if accepted by the PCI Council and introduced to its international members.
We recently guided a customer beyond PCI by instituting unique data integrity steps. This customer had an issue with “runaway encryption,” a downside of security where employees are encrypting data with keys that have no corresponding master key to “unlock” information. Even with runaway user encryption, this same customer satisfied PCI compliance for the way it shared credit card info. But it knew -- after it was burned by one rogue employee -- how crucial it is to maintain authentication, non-repudiation, and integrity of information as it is shared within, and outside of, its security measures.
Layers above and beyond
Information security is tough. The fallout from a breach or security lapse can threaten companies and end careers. Thus, for many of today’s enterprises, security investments are often viewed as “insurance” rather than vital ingredients of business growth and success. However, the tide is changing, and we owe that to the growing number of high-profile business leaders challenging the industry to continually bring their security strategies to a higher level.
Take, for example, Robert Carr, the CEO of Heartland Payment Systems, one of the first private companies to have its data breach trotted out in front of the public. Since that dirty laundry moment, Heartland is now one of the most vocal companies at the leading edge of information security. Carr is among a growing pool of executives pushing for layered security measures, including end-to-end encryption, multi-factor authentication (MFA), and tokenization. Security-conscious European firms are years ahead of their US counterparts with measures such as EMV chips, something PCI and retailers have been slow to adopt (or, in Target’s case, pushed to take on as a show of strength to its customer base and from its new CEO).
What security isn’t
There is nothing to gain in removing the guidelines put forth by the PCI Council. Without the council's efforts to push for a modicum of uniform protection, an industry that reaches into every business and wallet in America would find itself in much worse shape. It has a great opportunity at coming meetings in South Africa and Australia to reflect on its standards in the wake of a year of security mistakes, attacks, and leaks connected to the industry. Now it’s time to stop pretending security is a child’s game, something made easy enough for everyone to win.
As attacks increase and expand in velocity, it’s important to move the bar toward stronger security of information. To get there, we’ll need a better baseline from PCI and other standards bodies to lay out specifics to companies that are unjustly expected to be security pros when they are, at heart, fantastic bankers, lenders, retailers, manufacturers, etc. Advocating for full, end-to-end encryption connected to MFA would be an ideal start. PCI could take a hint from the International Architecture Board, a web standards leader, which has just announced that developers should set programming defaults to promote secure functionality. Among its constituents, PCI could push for pen testing to highlight security holes, especially from lingering or unpatched software, to help members find continually emerging bugs and issues. For businesses and governments, it’s time to realize compliance keeps you safe from the auditor -- but not from everyone else threatening your customers.
Joe Sturonas, a 25-year veteran of the commercial software industry, is responsible for product development at PKWARE, including software engineering, documentation, quality assurance and technical support. Sturonas has exuberantly worked with companies and government ... View Full Bio