Payment Processor Breach: a stream of consciousness rant
If you haven’t yet heard, take a minute to read the article entitled Payment Processor Breach may Be Largest Ever at the Washington Post.
In brief, Heartland Payment Systems has announced that they have experienced a breach that has potentially led to the acquisition of card data for more than 100 million card accounts.
That number is staggering.
The incident is reminiscent, although not the same, as a 2005 breach that affected CardSystems Solutions back in 2005. In that situation, the CardSystems’ database was breached and approximately 40 million card accounts were exposed (although reportedly substantially less were actually exported somewhere around 265,000). The glaring difference in scenarios is that CardSystems was actually storing cardholder data and that storage methodology is what was compromised.
The above is a clear breach of PCI guidelines. In fact, if I had to summarize PCI in one statement (and it is a poor summary) it would be “don’t store cardholder data.”
Based on the information released by Heartland today, it would appear that the cardholder data was actually captured in-flight. This raises a new security wrinkle. There has been a fair bit of chatter regarding the compliance of Heartland.* The PCI guidelines, as I understand them, do not require the encryption of cardholder data when it is passing over a “secured” network. For example, TJX was in breach of compliance as the data was flowing unencrypted over a wireless network. Or, if the data is flowing from POS to a processor through the internet it must be encrypted…in this case it would appear the data was breached while inside the Heartland network.
So…what is the lesson to be learned from this?
Firstly, this is a clear indication that the purpose of PCI compliance is widely misunderstood. PCI is NOT a goal. It is NOT a target. Compliance, and the demonstration thereof, should be an outcome of a risk management strategy. Anyone who stores, transmits, or processes cardholder data needs to treat security (i.e. risk management) holistically. I do not postulate that Heartland was not…the information we have is too little at this point.
Secondly, there is a section of the article that I will quote in its entirety as it caused me a great deal of consternation.
"The nature of the [breach] is such that card-not-present transactions are actually quite difficult for the bad guys to do because one piece of information we know they did not get was an address," Baldwin said. As a result, he said, the prospect of thieves using the stolen data to rack up massive amounts of fraud at online merchants "is not impossible, but much less likely."
While I won’t go into a lengthy discussion of the technology used to “prevent” fraud by checking address information…suffice it to say that this is known as AVS (Address Verification System). The statement by Heartland is the sort of verbiage that I can describe, politely, as “targeted at investors.” I don’t have access to research that indicates the percentage of eCommerce merchants using AVS systems…but I do know that many turn it off due to incremental cost and the perception that it is error prone and will throw false negatives. As a small eCommerce merchant preventing cart abandonment is key (even if it is at the expense of fraud).
In addition, I could go online and purchase a magstripe writer for under 300 dollars (from reputable resources…quite possibly less through other avenues). Not having an address in no way prevents the “bad guys” (to steal language from the article) from creating duplicate cards. Anecdotally, a friend who sat on a grand jury in my home state spoke of the majority of fraud cases being a combination of check fraud at grocery and burned cards.
Thirdly, follow this story. It can only get more interesting
I would LOVE if anyone who reads the blog has any good research that can substantiate, or disprove, some of my postulations above.
What’s your perspective? Agree? Disagree? Anything to add? Critiques? The comment form is below. . .
*NOTE: Based on the most recent list of PCI compliant service providers, as shown on the Visa website here. Heartland is noted as currently undergoing review with a validation date of April 30, 2008.
January 20, 2009