This week, Heartland Payment Systems, the sixth largest payment processor in the United States, announced it had suffered a security breach that had definitely compromised credit card transaction data, thanks to malware that sniffed decrypted transactions on its processing platform. The details are sketchy at this point, and forensic analysis continues.
Here's my point: When you add the Heartland breach to the breach of RBS WorldPay a month ago, you have to ask yourself: Are retailers really any safer if they outsource the handling of payment and other confidential data to third parties? Are service providers, on average, any more secure than retailers? Many pundits used the TJX and Hannaford breaches as excuses to question the security of the entire retail industry, so why not use two payment service provider breaches as a springboard to question the security of service providers in general?
Honestly, most companies, as a whole, don't take data security very seriously. Three years after PCI was first mandated, it's still most commonly managed in IT, with the goal being to check all the boxes as cheaply as possible. There is very little ongoing education of employees as a whole about the importance of protecting customer data. "PCI Awareness" typically consists of forcing employees to sign a liability-oriented document once a year. To some extent, this is a "cultural" issue, so we expect change to be slow. But one of the fundamental issues with adapting PCI to general employee education purposes is that it is too technology-laden to lend itself to the kind of multi-layered educational program needed for different types/roles of employees.
The point here is that the problem is exactly the same at service providers as it is at retailers. Retailers have zero reason to assume that when they outsource shopping carts, payment processing, data analysis or even application hosting that the service provider they use will treat their data any better than they do. Frankly, some service providers do a much better job than others when it comes to data security, but they charge more.
We have interviewed dozens of companies that provide payment and security management services to retailers. Their number one complaint is that they feel they are wasting money on data security, because their customers don't seem to care. The ones who also have banking industry clients are spending the most on data security because bankers will do relatively thorough reviews and may even send a team of internal (or third-party) auditors to review them. But retailers, the complaint goes, buy almost exclusively based on price. Even if it's true that no enterprise can be fully "secure" against sophisticated threats, it certainly makes sense to build a bunch of data security questions and quarterly security audit reviews into service provider contract reviews and vendor selection. A "shorthand" question is to ask a service provider if it also provides services to banks, and pray that its banking customers are doing the kind due diligence that you don't have the time or money for.
Malware has two countervailing trends, both of which are likely to continue. The first is that there is a rapidly growing market for highly automated malware that uses basic building blocks and can be easily adapted to identify and exploit new vulnerabilities. This malware exploits unpatched servers, poorly defined firewall rules, the OWASP top 10, etc. It is really aimed at the mass market--SMEs and consumers.
Then there is the high-end malware that employs the "personal touch"--customized to specific companies and often combined with social engineering to ensure that it's installed in the right systems. This type of malware got TJX, Hannaford and now Heartland. The point is: The more concentrations of valuable data we create, the more worthwhile it is for malware manufacturers to put the effort into customizing a "campaign" to go after specific targets.
So if you're using a service provider that is a "big target," you need to put in due diligence that is appropriate to the size of the target and to assume that malware manufacturers will be putting in an equivalent amount of effort.
This advice all sounds pretty depressing as I read it over. But there are a couple of things worth doing in the next few months, when you're not working on your resume. (1) Review the Web sites of several service providers you use to handle "confidential" data--collecting it, processing it, analyzing it, storing it, etc. See if they are marketing their data security capabilities or if they even mention PCI compliance. (2) Ask an AE or SE at those firms if they offer multiple "tiers" of services, based on the level of protection provided. (3) Try to get some pricing for high vs. low security and compute the percentage difference in price to compare across companies. (4) Ask the providers who in their company was involved in the QSA review that got it on the Visa service provider white list (assuming it is); talk to that person, and see if you can get a copy of the report on compliance (but don't expect to get the full report). This information will help you justify spending more money on more secure service providers while still ensuring your spending is proportional to the incremental data security delivered.
The goal is to take some low-cost actions that will either give you more confidence that your service providers have a pervasive (or, dare I say it, "strategic") view of customer data security or show you that they just do the bare minimum. If you're not happy with the results, you should line up a couple of alternative service providers using the same simple tests. There are service providers who take data security seriously, but do not assume that you're using them, just because they managed to pass a PCI compliance test. If you want to discuss this topic or want more information, visit us at the PCI Knowledge Base, or just send an E-mail at [email protected]