60 Minutes "Hi-Tech Heist", an analysis
Last evening, 60 minutes ran a report on the TJX breach entitled "Hi-Tech Heist: How Hi-Tech Thieves Stole Millions of Customer Financial Records." If you haven’t yet had an opportunity to view, the video it can be found here. Go ahead, and watch, I will wait for you to come back.
As is typically true with reports on the TJX breach, I both agree and disagree with several of the points. I will start with where I agree.
Firstly, it is high time that focus (beyond the industry) is paid to the retail location as a potential source of breach. I, for one, was not "surprised" by the demonstration of wardriving nor the fact that many retailers continue to use WEP as their network protection of choice. For those of you who follow my blog, my posts on PABP (i.e. PA-DSS) have hopefully underscored the focus that the PCI Security Council is placing on the issue of security in a commerce application at a physical location.
Secondly, I found the level of technical detail presented in the piece rather interesting. It is a good reminder that the audience that is most affected by issues of security are often not nearly as versed in details as those of us who spend our lives in the world of commerce.
Above all, reporting stories, such as this, is critical to ensuring that the Software Companies and Service Providers who engage with the retailer are positioning their product suite properly.
That’s it for the good. . .now for my concerns.
I’m not too sure how vested the credit companies are as far as securing customers’ data," Hogan says.
"And you’re saying that the credit card companies are the one’s who are not security conscious?" Stahl asks.
"In my humble opinion, no," Hogan replies.
He accuses the card companies of using this issue as a way to make money. Visa, for example, has started fining large chains that do not have up-to-date security $25,000 a month.
"If you do the math on it, this could be a windfall of $200 million annually for the credit card companies as far as a revenue stream," Hogan says.
Dave Hogan, National Retail Federation
I have to admit that I heard this statement and was taken aback. I understand the purpose of the NRF which, as a trade association, exists to espouse and verbalize the concerns of the retailer. (Perhaps "lobby" is a more appropriate term?) With that said, the thought that the credit card companies are not interested in securing cardholder data is specious (definition: "deceptively attractive"). PCI-DSS and PA-DSS exists solely to address the concerns associated with the protection of cardholder data. . .that is their purpose. To quote Branden Williams, "the real problem comes in the lack of data cleaning and disposal by those collecting it."
In my opinion, the reputation most damaged by security breaches is not that of the retailer (it is, hopefully, a one-time event) or even the issuer (it isn’t "my" banks fault). However, repeated breaches reflect poorly on the card brand. As Evan Schuman discusses, the concept that the card companies would turn a blind eye to PCI violations solely for the purpose of monetizing retailer fines seems a far reach.
Retailers need to adopt the next appropriate technology, and the next one, and the next one, and the one after that, because they want people to keep buying from them," Rasch says.
Mark Rash, FTI Consulting
I have worked with big-box retailers. Frequently. While the onus of meeting security requirements falls squarely on the retailer, I think that there are few (and I could identify some) who are able to take on the task alone. This is why partnership is so extraordinarily important. The industry must approach commerce security in a collaborative fashion.
The retailer should rely on their Service Providers and Software Companies as trusted advisors on security issues. In fact, they should begin demanding PABP compliant applications and begin remediation planning if their current application is not compliant.
In turn, the Software Companies must partner to ensure the services they consume are properly configured to ensure heightened security. In addition, security must become an immediate focus in the SDLC that these companies employ.
Finally, the Service Provider should begin ensuring that all applications consuming their services are properly secured and are meeting appropriate requirements.
Frankly, this is not a simple task. . .but it is also not insurmountable. The model of "going it alone" is no longer sufficient. Partnerships across industry responsibilities must be forged to ensure that cardholder data is protected. (ASIDE: In fact, this is something that we see happening frequently at IP Commerce. Of course, we are in the unique position of being technology enabler to all the participants listed above)
It is not, and cannot, be a mentality of us vs. them. . .(however, you choose to define "us" and "them" is up to you.)
November 27, 2007