What If South Carolina Were A Retailer?
A 403 Labs QSA, PCI Columnist Walt Conway has worked in payments and technology for more than 30 years, 10 of them with Visa.
The recent theft of cardholder data from the State of South Carolina's computer systems presents an interesting question: What would happen if South Carolina were a retailer? What would the state do, and what would be the reaction of the state's acquirer and the card brands to the data breach?
To recap briefly, the state announced in early November that hackers had stolen 387,000 payment-card numbers from the state's tax office. According to this Reuters story, 16,000 of those payment-card numbers were not encrypted. As a result of the loss of the card data—together with the 3.6 million Social Security Numbers and the tax records of 657,000 businesses, none of which was presumably encrypted—the state is looking at a $12 million bill to provide one year's worth of credit monitoring and identity theft protection to those affected.
South Carolina's governor has been visible throughout the episode, which also is encouraging. I read one report, however, that quotes the governor as saying: "The industry standard is that most Social Security Numbers are not encrypted. A lot of banks don't encrypt. A lot of those agencies that you think might encrypt Social Security Numbers actually don't, because it's very complicated, it's cumbersome and there's a lot of numbers involved with it. So it's not just that this was a Department of Revenue situation; this is an industry situation."
If that quote is accurate, it sounds a bit too similar to what may be called the "Barbie defense", after the infamous ill-fated talking Barbie Doll that whined: "Math class is tough." Yes, encryption is "tough" (and encryption key management is even tougher). But I bet the state could have managed to encrypt all its data for a lot less than the $12 million South Carolina is spending on identity theft protection for its citizens.
Going even further, PCI DSS provides a pretty solid roadmap for protecting all PII. This is a lesson many organizations in both the private and the public sectors realize.
Leaving aside the loss of all the PII, though, I wonder how the state will be treated versus a retailer that loses 387,000 payment cards, 16,000 of which were in the clear (i.e., not encrypted).
The first step a retailer would take is to implement its Incident Response Plan, which it looks like the state did. Your company has one of those, right? PCI DSS requires an Incident Response Plan in Requirement 12.9, which, unfortunately, is the very last PCI DSS requirement. PCI DSS also requires the plan have some detail as to assigning responsibilities, testing it annually and modifying it to reflect changing circumstances.
After notifying your acquirer, the retailer would likely be told to conduct a forensic investigation. Again, it looks like the state is taking this step, too.
I have no idea if the State of South Carolina has a QSA, but I suspect somebody was paying attention to PCI DSS compliance, because the bulk of the compromised payment cards were encrypted. If that is the case, where did those 16,000 unencrypted card numbers come from? No QSA would let that situation get past him or her unless they didn't know about it. I hope somebody in South Carolina also spends a few minutes looking into what information the state shared with its QSA and determines conclusively whether something slipped between the cracks or if there might be a "rogue" operation taking payment cards and not following the rules.
Another outcome we have yet to see is whether any fines or sanctions will come from the card brands. The card brands have fined retailers and even not-for-profit institutions like colleges and universities for cardholder data breaches. Will they fine a state? Any retailer that managed to lose this many payment cards would certainly expect a sizeable fine, but does it make sense to fine a state (which will just tax its citizens—the victims—to pay it)? On the other hand, if there is no financial penalty, is it fair to retailers to have two sets of consequences for data breaches: one for retailers and one for government businesses?
Lastly, I wonder if the acquirer will enforce future sanctions on the state, such as holding transactions in reserve or raising its merchant fee? Retailers I speak with, especially small retailers like restaurants, often find these sanctions to be as or more troubling and damaging than the initial fine, because the sanctions impair their ability to continue to accept payment cards profitably.
What do you think? I'd like to hear your thoughts. Either leave a comment or E-mail me.