I thought I would leave everyone with a quote from Froissart to end the year…when measuring people that freely give advice and hold themselves out as ‘experts’ it is suggested that you look at those who have gained their expertise through experience as opposed to theory.

“There were young knights among them who had never been present at a stricken field. Some could not look upon it and some could not speak and they held themselves apart from the others who were cutting down the prisoners at My Lord’s orders, for the prisoners were a body too numerous to be guarded by those of us who were left. Then Jean de Rye, an aged knight of Burgundy who had been sore wounded in the battle, rode up to the group of young knights and said: ‘Are ye maidens with your downcast eyes? Look well upon it. See all of it. Close your eyes to nothing. For a battle is fought to be won. And it is this that happens if you lose.”       Froissart’s Chronicles, 14th century

I have always found it amusing that  frequently those that are quick to talk of “victory” and winning have rarely ever experienced that of which they are so quick to speak.

A recent press release announced that Radiant Systems and a reseller of their products called Computer World are being sued in a class action suit for “millions of dollars” for issues that resulted in hundreds of instances of identity theft.  This is a very interesting wrinkle in the PCI DSS space.  Those of us who have been in the PCI world for a while have seen what is alleged in this suit  numerous times.  According to the press release the company’s Aloha application violated the PCI DSS and the distributed violated provisions, as well.  Specifically the suit alleges that Radiant and Computer World were responsible for the following:

1)   Restaurants were sold earlier model POS systems although they were represented to be new models;
2)   Computer World used a remote access system that did not have adequate security patches – a violation of PCI-DSS standards;
3)   Computer World used the same password for at least 200 operators in violation of PCI standards;
4)   The distributor failed to remove prior sensitive customer credit data upon installation of Radiant POS systems, again in violation of PCI standards.

This is nothing new but it is about time that VARs are held responsible.  I will never forget the Visa class I was teaching several years ago when a very polite older gentleman in the front row explained how is distributer installed his POS incorrectly and he was found to have been storing magnetic stripe data after having suffered a breach.  While I am the first to say that companies are responsible for their own security, the vendors also have a responsibility to support their customers in a secure manner.

Additionally, the suit alleges that:

•   Radiant Systems’ negligence and failure to either instruct or monitor Computer World’s actions led to systems being compromised and leaving the plaintiffs’ customers vulnerable to identity theft and fraud.
•   That Radiant and Computer World were warned by Visa in 2007 that their programs were non-compliant. (The restaurants were unaware of these warnings at the time they purchased the Aloha system.)

Going back to my previous posts, I am a huge proponent of tokenization, and end to end type solutions for this very reason.  According to the National Restaurant Association there are nearly 1 million single, serving restaurants in the US.  Without removing the data from the merchants’ environment we will continue to see situations like those referenced in the release above.  For those looking for such solutions, here is a short list….

ProPay, Shift4, MerchantLink, EPX, TrustCommerce, CyberSource, Payment Processing, Inc., Heartland Payment Systems, First Data (new entrant), BrainTree, 3Delta, (and a few others.  If I forgot your company, please comment and I will add).  If you manage merchants, I recommend you look for solutions that can simply remove the data from their environment.

I have worked in payment card security since 2000 when I was involved with Visa in writing/re-writing/updating the CISP.  Since that time I have had opportunity to work with Visa and MasterCard, work as a QSA, and QSA Trainer.  During that time I have had many opportunities to work with compromised companies and review data forensic reports.  I am disturbed by the article I found on MSNBC.com titled “After Data Loss ID Theft Soars”. One of the first paragraphs in the article provide language from what they refer to as the Dear John letters:

“Dear Consumer. We’ve lost your personal information. It’s fallen off a truck/was on a laptop that was lost/was stolen by a hacker. We’re sorry and we promise to be better in the future. Good luck.”

In my experience, I have seen few, if any companies actually LOSE data.  I have seen it stolen many, many times.  I find the assumption that somehow the victim was at fault troubling.  There seems to be a perception among the media that the victim was at fault when data is compromised.  It would be difficult to envision the same attitude being applied to a bank robbery, a burglary, or a kidnapping.  Imagine the following:  ”Dear Mark family,  We’ve lost your son. He’s been lost from a ship off the coast of Eastern Africa that was hijacked/was attacked by a pirate.”  Clearly this is ridiculous position to take in kidnapping yet we are quick the blame the victims of data breaches.

Now before the critics start talking about non-compliance, and other issues that are part of the reason the company was vulnerable.  Clearly there are things that could have been done better.  Hindsight is a wonderful characteristic.  Unfortunately we don’t have the benefit of hindsight before an event occurs.  The same argument can always be made about any activity.  ”The ship should have avoided Eastern Africa so they are at fault.”…”The bank should have had thicker vault doors.”  We can always second guess any situation and say that the victim should have done better.

The purpose  of this post is not to say that companies who are compromised could not have done things better.  In some cases, the companies were clearly negligent.  The purposes is simply to say that companies that are compromised are not completely responsible and are victims of crime.  They did not simply ‘lose’ the data.

The Dallas CPISM/A training and certification course has filled up quickly and we only have 3 seats left.  If you are interested in attending the November 10-13th event, sign up soon. After reviewing the registrants, this should be a very interactive course with some great comments and input from the participants and a very good opportunity to network.    If you are signed up already we will see you in Dallas in a few weeks!

Everyone who has read my blogs over the past few years or spoken to me about PCI DSS knows my feelings on end-to-end encryption and data replacement technologies.  I have a huge proponent and feel that these technologies will help secure our industry and provide significant benefits in reduction of PCI DSS requirements.  There are a number of companies entering the market with these solutions and we have another.  First Data recently announced their “First Data Secure Transaction Management” solution which combines end-t0-end encryption and tokenization.  You can read their whitepaper here. While a number of companies have been offering this for quite a while (ProPay, Shift4, MerchantLink, TrustCommerce, etc.) the fact that First Data has invested in the technology demonstrates the traction that these solutions have received.  Historically it has been the gateways developing these solutions and now one of the (if not the) largest processors in the world has adopted the technology.  It should be noted that this follows Heartland Payment Systems’ announcement of their end-to-end encryption technology.  With Heartland and First Data developing these advanced solutions I would venture to say that we have reached the proverbial ‘tipping point’ and these technologies are here to stay.

I know I am bound to receive some comments related to this subject.  Before anyone attempts to eviscerate my position let me say that 1) these solutions are not a fit for every merchant 2) yes they do have limitations and 3) they do not ‘guarantee’ security.  That being said, they are much better solutions in many instances that traditional PCI DSS compliance.

The Wall Street Journal has a very interesting article out today that talks about cyberspying in the US.  A report released today by the U.S.-China Economic and Security Review Commission indicates that the Chinese government is ratcheting up their cyber espionage efforts in the US.  US companies have been specifically targeted.  The report says that US companies are being attacked to steal intellectual property and secret information from defense contractors and other companies.  The report states that Chinese cyberspies steal up to $50 billion a year in intellectual property.  Finally, it states that the Chinese government has been creating cyberwarfare militia units, which draw on civilians in the telecommunications and technology sectors, as well as academia.

California has long been credited with the creation of the state breach notification law. For many in the security world breach notification and SB 1386 are practically synonymous. Over the years since its passage, however, breach notification laws have undergone a number of evolutionary changes - central reporting requirements, requiring organizations to provide details of the breach and the type of information that was potentially compromise are among those changes. The notion behind including these elements in the notification requirements is that a citizen that is well-informed is well-armed. Knowing these details can help people that have been caught in a data breach keep track of their financial accounts and watch out for potential fraud. The central reporting structure is becoming much more common, as the percentage of compromised entities actually reporting breaches has long been suspect.

With these notions in mind, state Sen. Joe Simitian (D), the author of the original Breach Notification Law in California, proposed an update to the law.  In this update, all organizations that suffered a compromise of more than 500 records would be required to report the breach to the state’s Attorney General.  Additionally, the organizations would be required to provide more detail to consumers, including when the breach occurred, what type of information was compromised, and how they can monitor their credit for suspicious activities.   There was no opposition to the bill, as the removal of a clause requiring that companies disclose to affected individuals the number of records compromised was eliminated from the bill.  With that change, the California Chamber of Commerce removed their opposition.  The bill passed the state legislative bodies and had been sent to the Governor for signature.   The Governor, however, vetoed the bill saying that he saw no additional benefit to consumers as a result of the new requirements and didn’t understand why the Attorney General’s office should begin keeping numbers on the breaches.

Gov. Schwarzenegger has vetoed a previous data protection law, though admittedly that one was far more divisive than the current proposition.  It is questionable, though, why the Governor would veto a bill that even the retailers didn’t oppose.  This is the same state that is considering banning big screen High Definition televisions because of their environmental impact. This move, in my opinion, seriously tarnishes California’s image as a standard bearer in consumer data protection.  Though I haven’t been a proponent of these laws on the whole, the public and the government view data breach notification laws as a critical component in the fight against identity theft and financial fraud.  Additionally, since public policy tends to be incremental in nature, it is to be expected that the original law would be adjusted and “tweaked” to address newly identified weaknesses (such as failure to report breaches) in the existing legislation.  By failing to enact this law, the Governor has lost California’s lead in this area.  In fact, an argument can be made that, while other states are racing ahead in the protection of consumer data, California is ceding its leadership position.

In a lawsuit filed in the wake of the Heartland breach, the plaintiff’s attorneys allege that Heartland knew that the PCI DSS was “insufficient” to protect cardholder data. Specifically, the lawsuit alleges, “Heartland executives were well aware before the Data Breach occurred that the bare minimum PCI-DSS standards were insufficient to protect it from an attack by sophisticated hacker…” They base this allegation on an earnings call held the November prior to the breach in which the CEO states that Heartland will “move beyond” the PCI DSS, which was the “lowest common denominator” of security. The lawsuit uses that statement as evidence that the “industry standard” for security is actually set much higher. This is a chilling turn of events for many in the Payment Card Industry.

Essentially the effect of such a suit, provided the judge finds in the plaintiffs’ favor, is to provide dis-incentives to organizations to implementing security controls beyond those that are detailed within the PCI DSS. Why would they, when the result is that the organization takes on additional liability? The result of such a decision would be to encourage companies to do the minimum to meet compliance with the PCI DSS, lest they inadvertently set a new “industry standard” to which they will be held accountable in the event of a data compromise.
Further, many organizations have chose to make a “core competency” of security as a marketing advantage. By implementing additional security controls, organizations can achieve a competitive advantage - attracting new customers through the use of security expertise and a greater level of data protection. This strategic business decision is now in jeopardy, as well.

As data security professionals, we’ve all encouraged our clients to go beyond compliance and get secure. As business professionals, now we must ask whether the risk of going beyond compliance outweighs the risk of being insecure. If an organization simply achieves compliance and is breached, they can apparently make the claim that “We were PCI DSS compliant.” However, if that company implements controls beyond the level of strict compliance, are they going to be held to a higher standard? If the case goes in favor of the plaintiffs on this point, it sets the cause of Payment Security back five years - a “one-size fits all” compliance program once again takes precedence over risk-based information security management.

Visa, always leading the charge for the card brands, has just released a new document on Data Field Encryption.  Visa’s Best Practices document, known as Data Field Encryption Version 1.0 is intended to provide guidance for companies building end to end (or point to point) encryption solutions.  This marks a watershed moment in our industry. Finally a major card brand is acknowledging the value of encryption.  Here is a summary…

1) Limit cleartext availability of cardholder data and sensitive authentication data to the point of encryption and the point of decryption.

2) Use robust key management solutions consistent with international and/or regional standards

3) Use key-lengths and cryptographic algorithms consistent with international and/or regional standards.

4) Protect devices used to perform cryptographic operations against physical/logical compromises.

5) Use an alternative account or transaction identifier for business processes that requires the primary account number to be utilized after authorization, such as processing of recurring payments, customer loyalty programs or fraud management.

Based upon what I read, it looks like the  major players in the market all support Visa’ best practices.

BIG KUDOS to VISA for taking a big leap!!!

While this is not a PCI related question or security related topic, I am looking for some advice and/or help.

Heather and I had our first baby about 3 weeks ago.  We were blown away with how expensive it is to have/feed/cloth and generally take care of a new baby. We do pretty well financially and can see how young families and single mothers struggle with a challenges of a new child.  We want to establish a charity to help those less fortunate with the expenses, and challenge of affording a new child to ensure the baby has the necessities taken care of.

If anyone has any advice, wisdom, experience with a charity or has been down the road of establishing a not for profit charity, please let us know…

Thanks for entertaining a “non” PCI related inquiry ;))