The Heartland and RBS WorldPay breaches should serve to remind us that some types of organizations are real "targets" for bad folks. Banks (and bank robbers) figured this out a while ago. Thanks to distributed computing and the extensive use of service providers who specialize in collecting, processing, managing and storing highly confidential information, there is a "target rich" environment for nefarious folks all over the world.
The most obvious examples of companies that bad people target are financial institutions. They know they are targets, and most have implemented technologies and procedures that are more rigorous than PCI demands. Other examples of targeted enterprises we've spoken with include transaction and other data aggregators that are service providers in e-commerce, hospitality, healthcare, retail, travel and, of course, financial services. Many of these organizations are not directly processing transactions, so they are often not getting much PCI-compliance pressure from their acquiring banks. Rather, the pressure to secure confidential data is coming from their large corporate customers. For these firms, "beyond PCI" is a competitive advantage, something worth marketing to customers and prospects.
If this statement seems controversial or negative, I should point out that I'm a big fan of PCI. I've built three different businesses around it over the past four years. But the more I talk to leading merchants and financial institutions regarding security and compliance, the more I've become convinced that because PCI compliance was designed to be scalable down to Level 4 (SME) businesses and because it doesn't address emerging technologies and practices (i.e., virtualization, SaaS, tokenization, one-time passwords), there are some clear tools and techniques that targeted enterprises can use to go beyond PCI compliance.
When Heartland's management started talking (post breach) about the need to go "beyond PCI," they spoke specifically about end-to-end encryption. In such a scenario, data is encrypted at the initial point of capture (card swipe, Web site form or mobile payment) and remains encrypted as it travels via internal network and is stored in temp files. The data is only decrypted under very specific, controllable circumstances and by an extremely narrow set of persons and systems. We have talked with organizations that have implemented end-to-end encryption, and the real problem is enterprise key management. For companies that "grow into" end-to-end encryption, key management can rapidly become a nightmare. Based on our research with these leading companies, I'd argue that a tactical approach to key management is very counter-productive. On the other hand, enterprise key management packages tend to be expensive, often north of $500,000 for those firms with enough confidential data to be considered a "target." Recommendation: Although it's possible to satisfy PCI requirements 3.4 and 3.6 without enterprise key management, I'd strongly recommend it for targeted businesses.
I've harped on the importance of automated log management many times in this column, and it is very important. But I also want to mention the importance of putting more code, policies and systems administration under change management control. Although mentioned in PCI, the application of change management can be minimal and a company can still pass. Some of the most secure financial services and other firms have very rigorous change control systems and procedures, making it almost impossible for any malware or unauthorized employees to change access controls, permissions or system software. Because such changes are often necessary and intermediary steps in enabling major data breaches, automated change management can facilitate prevention and/or early detection of potential breaches. Recommendation: Because such tools can be difficult to live with for fast-moving, innovative companies, I would tend to recommend these tools primarily for targeted enterprises.
What makes some organizations targets is that they have massive volumes of confidential data that has resale value on the black market. Therefore, any tools and techniques that can limit the value of this information are a way to reduce the "attack surface" of the organization. Tools such as one-time passwords (OTPs) and single-use credit card numbers can fundamentally reduce the ability of hackers or insiders to steal massive volumes of data that can be used to generate fraudulent transactions, steal identities, etc. Mobile payment security technologies will greatly increase the awareness and use of OTPs. I would also expect to see greater use of OTPs and single-use cards (along with tokenization) as targeted businesses upgrade their applications and access controls in light of what is likely to be an ongoing series of security breaches of "compliant" businesses.
I'd like to hear other examples of "best practices" and other examples of how to cost-effectively go beyond PCI to protect targeted enterprises. For more information, please visit the PCI Knowledge Base and/or send me an E-mail at [email protected]