News hounds read too far too soon

Seems CNET’s article “(Credit card security rules to get update)” references a top MasterCard representative stating that encryption will no longer be required in the new v1.1. I must say, this is quite an interpretation to what Tom said at the conference, and one that is clearly a mistake by CNET. The use of encryption is the final defense that protects sensitive data wherever it is stored, and the relaxing of this pillar of confidentiality only invites 2006 to be a worse year in breaches than 2005. This, of course, cannot be so.

For the record, the standard firmly states that all track data should be destroyed and never stored. This is expanded to include what is referred to as cardholder data. By cardholder data, we in the payment / audit world, consider track data and the other necessary components that are needed for a transaction to occur. If an attacker captures this sensitive data (by hacking through a wireless access point or public web server and downloads the database from an unsuspecting unencrypted retailer), there is no way for the banks, retailers, or VISA / MasterCard themselves to be able to tell the difference. In fact, it is only if a vigilant security administrator at said hacked company notices, or you the consumer realizes that you do not need 15 plasma televisions. (This of course being a need vs. wants discussion and better left to a private conversation)

The storing of SOME information about the credit card is permissible as is necessary to track consumers and provide reasonable customer support, but certainly not to the extent that most systems are storing it today. This brings us back to encryption. Encryption is feasible on nearly every electronic device out there. It is a given that some POS (point of sale) devices are ancient and the processors are slow and the firmware is old, but these systems still must meet current day operating standards. This is the time when consumers and companies should stand together and require that these devices be brought to the now. Honestly, how can we in the security space consider the creators of PCI DSS to roll over on encryption after only a few weeks ago VISA and Fujitsu were roasted on television and newspapers for having certain POS devices that had old firmware that stored cardholder data in the clear?!?!

Based on conversations with those in charge of the standard, other assessors in the United States, clients, providers, merchants, and security experts – encryption is here to stay and no level of compensating controls will be sufficient to meet the intent. This intent being – if you (merchant/provider/anyone) store track data / cvv2 / other (in great detail) encryption is necessary and truly the best defense against the loss of goodwill and access to payment transaction networks.

In a time when state and federal laws are mandating encryption across the board for sensitive data very similar to payment transaction data, is it not prudent to embrace encryption and adopt a whole enterprise solution (across all databases)? I hope that we can expend as much energy as trying to wholly address this critical issue, as we have on trying to imagine it no longer prudent.

A bit of practical consulting feedback: In recent engagements I have found companies siloing their database requirements to meet HIPAA / SOX / FFIEC / and PCI DSS. The shame is that after some risk analysis we were able to demonstrate that costs would be lower if they used the same stringent controls across the whole database. This saved them on maintenance, managing access to the device and databases, licensing costs, and they will be able to address future requirements as they come into effect across all sets of data at once.

Always looking for feedback and additional thoughts,

James DeLuccia


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s