Reassessing the Value of PCI in the Target Breach Aftermath

Tim Lansdale is the head of payment security at WorldPay. In the aftermath of the Target data breach, Eleanor Dallaway met him over a coffee to talk about the value of PCI and the online payment threat landscape
Tim Lansdale is the head of payment security at WorldPay. In the aftermath of the Target data breach, Eleanor Dallaway met him over a coffee to talk about the value of PCI and the online payment threat landscape

“If you’d have audited Target just before the breach, they probably wouldn’t have passed”, said Lansdale, referring to the fact that despite Target being PCI compliant, he believes that its compliance may have unofficially expired. “PCI is like an MOT certificate”, he said, explaining that a company can only be judged on its security posture in a certain moment of time.

Despite this downside of the PCI-DSS, Lansdale is a vocal proponent of it. Indeed WorldPay are a participating organization of PCI. “It’s always referred to as a minimum, but PCI is actually quite a strong security position”, he said. Despite being an advocate of the standard, though, Lansdale is not incapable of finding fault.

“The language used in the PCI standard is American, formal and technical. The language used is ironically a barrier to compliance for a lot of organizations unable to understand it”, he told Infosecurity. “We’re actually working on a project to re-write the document and use pictures to give to customers.”

Smaller merchants, in particular, he said, are hindered by the language. “They won’t have a CIO or a CISO, so will need the language to be simplified”, he said. “It can cost around 5000 euros to become PCI compliant following a data breach, and the cost of non-compliance is also too large for smaller merchants.”

WorldPay has lobbied Visa Europe to charge small merchants only the cost of breach in the instance of non-compliance. “I don’t think the financial penalties work as a deterrent for small merchants as they’re often not even aware of the fines”, he said.

Medium retailers aren’t immune to the challenges either, Lansdale added. “They may be big enough to have a lot of data but not big enough to have a CISO. There’s a shift in attackers targeting medium retailers as they often get a better return on investment”.

When discussing the cause of the Target breach, Lansdale was unsurprised to find its roots in a supply chain issue. “These breaches are usually to do with remote access and the supply chain”, he said. In the aftermath of the breach, his job has been to “answer the boards questions, to check software and hardware, patch to protect customers and educate customers about the incident”.

Securing the Point of Sale

Face to face transactions continue to be safer than online payments, Lansdale explained, helped greatly by the introduction of Chip & Pin technology. “Europe is in the enviable position that there has been no decent Chip & Pin breach”, he said, “so many of the vulnerabilities we talk about are theoretical.”

When asked why the US has been so slow to adopt the technology – with the majority of retailers still using signature authentication, or none at all for small transactions – Lansdale put it down to cultural differences. “The US places emphasis on ease of payment.” In Europe, he considered, “we’re prepared to jump through hoops for security, whilst tolerance of security practices is lower in the States. Also, let’s not forget that the cost of switching to Chip & Pin is high”.

Lansdale is also a supporter of contactless payments, and uses the technology himself regularly. “The chances of error are so low, it’s very hard to get it wrong”, he said.

The success of Chip & Pin, however, has acted as a catalyst for more crime to move online.

Beware the Concert Ticket or Automotive Trade

Online payment fraud attacks are often the result of “10-year-old SQL injection attacks or incorrect coding”, Lansdale explained to Infosecurity. “It’s very rare to see arrests in this space, and as such there is a lot of slick organized crime”.

Particularly vulnerable sites and sectors include the automotive industry and ticketing agencies. “It’s very hard to secure ticketing agencies due to the quantity of records and the supply chain. The volume of cards exposed is very high and the payment environment is higher risk”. With the automotive industry, he explained, it’s due to the higher ticket value.

Finally, Lansdale was happy to share his tips for shopping online securely:

  • Check the merchant is PCI compliant
  • Consider the look and feel of the website. Are you on the site you think you’re on? Check for incorrect spelling or grammar.
  • Look at the seller reviews
  • Use your credit card, not debit card
  • The use of 3D Secure is a good sign

What’s Hot on Infosecurity Magazine?