The technical requirements built into the standard for credit card data security are sound, but the oversight process is lacking, say critics.
When Heartland Payment Systems announced a major breach of its credit card database a few months ago, the company was reportedly compliant with the credit card industry’s Payment Card Industry Data Security Standard (PCI) designed to prevent such problems. It was the second major breach of a PCI-compliant company in two years, raising questions about whether the standard is set high enough to make card processors achieve a meaningful level of security.
It isn’t yet entirely clear what kind of malware was placed on the Heartland system. Reports say it was a sophisticated sniffing program placed onto a rarely used server. But many experts say that if Heartland had fully implemented PCI at the time of the breach, even sophisticated malware would likely have been caught before any major data loss occurred. The reason, they say, are some technical solutions required under PCI. One requirement includes ongoing log monitoring; another is the requirement for some form of configuration management software, which aims to detect anomalies in organizations’ networks.
PCI gives organizations an excellent set of guidelines to build a security framework, says John Kindervag, a Forrester senior analyst. The real problem, he and others agree, is PCI’s oversight process.
Organizations being audited can tell the qualified security assessors (QSAs) and the approved scanning vendors (ASVs) who test companies annually which servers to examine, says Kindervag.
Auditors also aren’t allowed to examine the same servers one year to the next, and they typically just see a small sample. Kindervag, a former independent QSA, knows of cases where an organization that may have hundreds of servers will direct the auditor to 10 machines that it knows are compliant.
Some large organizations might also have servers that the organization’s management doesn’t know about, Kindervag adds. A machine could be set up in an individual department but the organization might lack a central depository of Internet Protocol addresses associated with every server, he says. Another problem is that some organizations have tended to shop around for auditors who might easily give them a clean audit.
Still another issue concerns the conflict of interest between assessors doing the testing and also sometimes selling products. This conflict is perhaps the card industry’s single biggest compliance problem, according to Avivah Litan, Gartner senior analyst.
To help remedy all of the above, the PCI Security Standards Council, which oversees the standard, launched a new quality assurance program late last year. Aimed at making the process more objective and consistent, the program establishes new forms of communication and feedback between the council and assessors, merchants, and service providers. The council also said it was assigning more dedicated staff to review assessors’ licenses, which come up for renewal annually.
Separately, Heartland has announced that it would implement a system of internal end-to-end encryption. Such encryption, generally expensive and difficult to implement, would go beyond PCI’s current requirement that data is encrypted only when traveling between organizations.
The project would create a level of encryption that doesn’t exist at any other card data processor, says Jason Maloni, Heartland spokesperson.
Any form of internal encryption can be challenging to administer and expensive, says Kindervag, but the end-to-end variety can be “phenomenally difficult.” The major challenge is that data must be encrypted and then read by myriad kinds of applications and servers, he says.
Both Litan and Kindervag say they are uncertain whether end-to-end encryption could have prevented the Heartland breach. There are places the data needs to be decrypted, says Kindervag. “And these are attack points.”
Both analysts nonetheless recommend that organizations look into end-to-end encryption. The private sector, rather than any regulatory body, will likely take the lead in that area, they say.