Credit Card Transactions: Held to a Higher Standard

Nearly everyone we spoke with agreed that merchants must find a way to stop storing card data to limit their risk liability in the event of a breach
Nearly everyone we spoke with agreed that merchants must find a way to stop storing card data to limit their risk liability in the event of a breach
“There aren’t any silver bullet solutions” says RSA’s Sadowski
“There aren’t any silver bullet solutions” says RSA’s Sadowski

“Have you ever been in a Turkish prison?” Captain Clarence Oveur asked little Joey during the 1980 slapstick comedy Airplane. Well, if you are credit card scammer Maksym Yastremskiy, then the answer is yes.

Known simply as Maksik, the Ukranian-born fraudster was detained by Turkish officials and sentenced to 30 years in prison in 2007 for being part of Albert Gonzalez’s cybercriminal ring that stole millions of credit and debit card details while making quite a hunk of cash for themselves as a result.

Credit card fraud is a simple fact of life for all merchants and consumers. Dealing with card transactions is a Catch 22 – nearly all businesses must have a card processing capability, but with this comes the headache of securing data. Furthermore, credit cards have become one of the most frequently used, if not preferred means of conducting personal financial transactions.

With some larger merchants spending millions a year on PCI compliance, it is worth investigating which technologies are the most effective in fighting fraud. Infosecurity asked experts in the field what can be done to live by the standards, while minimizing risk exposure.

The Flexible Cybercriminal

The problem with securing payment card data is that so many different organizations get their digital hands on the information during the transaction process.

The card holder possesses the physical card, with all the information it contains; much of this information may be stored by the holder themselves on any number of digital devices, not just a home computer. The merchant, depending on size and applicable polices, may hold this data, most importantly the primary account number (PAN), as well. Throw in the merchant’s acquiring bank, the card company, and the card issuer, and there’s no shortage of access points, or variety of schemes, that can involve payment card data in today’s world.

Storing card data is what got TJ Maxx in trouble back in 2009, asserts Jasbir Anand, senior fraud solutions consultant for processing software provider ACI Worldwide. “It was the most sophisticated type of card fraud attack”, he says, where you get access to thousands of numbers.

Rob Sadoswki agrees with this risk assessment. The senior manager of technology solutions at RSA reveals that one of the chief security concerns of his clients involves the compromise of large data storage repositories.

“This is potentially the most damaging and presents the most risk for a merchant”, he affirms. “Also, criminals gravitate toward this type of situation because it gets them the most valuable information with the least amount of effort.”

As far as card fraud, Bob Russo, general manager of the PCI Security Standards Council says “skimming is fairly rampant in the Level 4 space”, when talking about merchants that process far fewer transactions.

Russo suggests these lower-level merchants, upon receiving a new card processing machine, should take a picture of it, store the picture, and every few months pull the picture out and take a look at it again, comparing the picture to its present appearance. For these commercial enterprises, he assures, taking this simple, common-sense step can pay off handsomely in preventing machine tampering, including skimming techniques.

“More so for the Level 4 [merchants], we [also] found that the weakest link in the chain is generally the application that somebody buys off the shelf.” As an example, Russo talks about programs your local restaurant might use: they not only take orders and keep inventory, but also process card data.

Eduardo Perez, head of global payment system security for Visa, agrees with Russo and says he focuses on what his company calls interactive payment applications. “It’s those types of merchants that we know are being targeted by criminals.”

He points toward the PCI Council’s website, which provides a list of PCI-compliant payment applications. Visa also privately provides merchants’ acquiring banks with information on vulnerable payment applications and encourages acquirers to pass this along to their merchants. “It’s had a very powerful and positive impact on merchants’ ability to secure card holder data”, he claims, “particularly if they are using integrated payment applications”.

"Security is all about layers, and the more layers you add on, the more secure you will be"
Bob Russo, PCI Standards Council

Perez imparts some advice, adding merchants that use dial-up only payment terminals “present very little risk to the payment system because the card data is not traveling through their corporate systems, and it’s not exposed to the same degree that it might be exposed by merchants that are using integrated payment applications.”

The head of payment security reminds us that, as of July 1, all US acquirers are required by Visa to ensure their merchants are using PCI-approved PA-DSS payment applications. He says these apps do not store unnecessary or prohibited card data.

Tackling PCI Compliance

It’s not surprising, however, that one of the card brands responsible for creating the PCI standards would be a staunch proponent. In response to a string of data breaches involving card data in 2009, Ellen Richey, chief risk officer of Visa, told readers of the financial daily American Banker that there’s no doubting the effectiveness of the standards when it comes to securing data. “In all cases, forensic investigations have concluded that significant compliance deficiencies were major contributors to the breach”, she wrote.

Richey added that the PCI standards are, when implemented properly, a “program of basic security safeguards”, being careful to warn that they were no “silver bullet” security solution. It would not be the first time the term ‘silver bullet’ was thrown about in conversations that contributed to this article.

Nonetheless, the 2010 Verizon Data Breach Investigations report appears to agree with Richey’s assessment. It notes that achieving PCI DSS compliance is still critically important. Seventy-nine percent of data breach victims subject to the PCI DSS standard had not yet achieved compliance prior to the reported breaches that Verizon investigated from 2009.

PCI’s Russo believes most merchants don’t require prodding to implement PCI DSS recommendations. “These are things that you should be doing, not only to protect credit card data, but literally to protect anything you want. These are just good security practices. It’s the best way to do business to protect any type of information.”

With previous experience in other sectors, including insurance, Saffet Ozdemir, information security officer at Zappos.com, has seen PCI compliance approached from several different perspectives.

“PCI compliance is the very fundamental, basic best practices, but it’s not the end all and be all for security”. He says Zappos.com tries to establish security policies that are more comprehensive than the PCI standards, ones that also include other regulatory requirements affecting its business, such as Sarbanes-Oxley reporting.

“PCI is not as complicated as you are willing to make it”, he declares. Zappos.com, Ozdemir continues, has not developed a particular system for PCI compliance. Instead it’s more about the company having an approach toward securing card holder information that falls within the standards.

“Our perspective is systems that process, transmit, or store card holder information are segregated and separate from those that do not, such that we limit the scope of PCI, we limit the cost of compliance, and we also limit our potential for breach.”

One of his colleagues at the online retailer describes their approach as an attempt to “cocoon off cardholder processes”.

Ozdemir confirms that Zappos.com does employ specific products that address PCI compliance, “but I’m not sure those products are a hundred times better than anything else”, he admits.

“I try not to throw money at PCI. I try to change our infrastructure, our coding processes, and our perspective around it. I think that’s what really reduces costs, and not so much a product we can buy.”

After all, the point of PCI compliance, Ozdemir asserts, is not to reduce the merchant’s exposure to fraud, but rather limit risk liability for the major card brands.

Ditch the Data

RSA’s Sadowksi says that regardless of PCI’s goals, merchants can benefit from new advances in technology that reduce the risks associated with holding card data.

“If you’re a merchant, PCI compliance is not something that contributes to the bottom line. Ideally what merchants are looking for are solutions that reduce their effort in complying with [PCI] so they can spend more of their time and resources on things that are directly related to their core business.”

In Sadowski’s opinion, the best solutions are the ones that address the cause of the problem, “and the root cause of the problem is the credit card data”, he stresses.

Neil Denham, security expert with network solutions provider LAN2LAN, tells us that his company first starts off by examining a client’s PCI scope, which means everywhere credit card data touches the network environment, and where it is stored. If your business does store card data, Denham implores, be sure it is encrypted in some way.

“If you use a third party to process your credit card information, then your scope is reduced compared to actually storing that information yourself”. It’s not eliminated, he adds, because the merchant must still process the transaction from the consumer and transmit the data to the third-party processor.

Thales sponsored a recent Ponemon Institute survey of qualified security assessors (QSAs) – the very individuals tasked with approving PCI compliance for large processors. The study says that 60% of QSAs believe end-to-end encryption is the most effective means to protect card data. The study also revealed that new technologies like tokenization are favored by 35% of QSAs as the best method for data protection.

PCI’s Russo says that although the Standards Council does not advocate for a particular security technology, there are a number out there that will make a merchant compliant. Some of the technologies he mentions include end-to-end encryption and tokenization.

Once again, however, he cautions there are no “silver bullets out there. These technologies have benefits”, says Russo. “Security is all about layers, and the more layers you add on, the more secure you will be.” Nevertheless, he warns that merchants may meet a particular standard’s requirements, but that does not ensure complete security.

Eduardo Perez of Visa continues along the same line that Russo and Sadowski hold. He agrees that the best thing merchants can do to limit their risk is to stop storing data, such as PANs.

“We want to first help entities eliminate any unnecessary data that may be flowing through their systems”, says Perez. “We believe there are a lot of opportunities there for merchants to stop storing that data so that they don’t put themselves at risk of being breached or compromised.”

Unless there is a compelling, legitimate business purpose, Perez advises against storing card data within a merchant’s system. He also recommends data encryption or tokenization as two of the most effective methods to limit risk. Eliminating the data, or devaluing it, makes critical contributions to risk reduction according to Perez.

Not surprisingly, RSA’s Sadowski agrees with this assessment. “If we reduce the amount of [credit card] data, or we make that data impossible to turn into money, then ultimately that will be very beneficial to merchants.”

He tells us to think of tokenization as a body double: “It preserves all the value of storing card numbers…but it really removes the value to the cybercriminal”.

Sadowski does admit to the security risks involved with tokenization. “It obviously places a significant priority on protecting where the card numbers are held and the systems that actually tokenize the data”.

“But that”, he says, “is going to be limited to one place”, sometimes in the merchant environment. Sadowski adds that increasingly what he sees is tokenization being turned into a service by third parties.

You must have utmost confidence in the security of this central tokenization repository or processing application, or in the third-party provider who is providing the service, Sadowski confesses.

“If you use a third-party service provider, you must confirm they are a PCI-compliant provider”, he continues. You must calculate if you are willing to outsource the payment function to a third-party provider and compare this with the cost of doing it yourself, especially if you are a small or medium-sized merchant.

What tokenization does, and Sadowski agrees, is that it limits the number of attack points through which card data can be accessed to just a handful.

And because Sadowski believes that providers will increasingly provide tokenization and other layered security measures as a service, it could be within reach of smaller merchants, perhaps just some guy or gal running a website and selling some screen-printed t-shirts.

The senior technology solutions manager at RSA closes by reiterating his most effective argument: “If you can get out of the practice of storing credit card data, you are going to alleviate a lot of your risk, and you will drastically reduce your PCI compliance scope and burden”.

Sadowski is serious when he says this, and don’t call him Shirley.

What’s Hot on Infosecurity Magazine?