PCI Council looks to stem data breaches after bad year

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.computerworld.com/article/2849032/pci-council-looks-to-stem-data-breaches-after-bad-year.html

A consortium that develops guidelines for protecting payment card data is
hoping that emerging security technologies will help prevent breaches that
made this year one of the worst ever on the security front.

"It's been a bad year," said Jeremy King, international director of the PCI
Security Standards Council, at its Asia-Pacific Community Meeting in Sydney
on Tuesday. "We hope to get better. Unfortunately, the criminals are
getting better."

As many as 2.3 billion records were compromised this year, a figure close
to the populations of India and China combined, King said.

One of the largest individual breaches was recorded by Home Depot, which
lost 56 million payment cards in an attack on its point-of-sale system,
launched after a third-party vendor's credentials to its network were
compromised.

The PCI Council, founded in 2006 and funded by card companies, develops
security tips for payment networks and retailers. The meeting in Sydney is
intended to help those in the industry implement better security practices
to stop costly hacking attacks.

Many retailers are finding that even if they follow the PCI Data Security
Standard (PCI-DSS), their networks could still be vulnerable due to
configuration errors. The PCI Council advocates that retailers have to
remember that compliance with the security standards, which is required by
the card companies, is more than passing annual audits.

"The criminals are more focused than we are," King said. "They are much
more organized than we are. They are happy to fail 1,000 times if on the
1,001 they get in."

As of Jan. 1, organizations will have to be compliant with PCI-DSS 3.0, the
latest version of the standard. It has been available for about a year,
although organizations could opt this year for auditing purposes to be
compliant with the 2.0 version.

Many of the improvements that merchants can make are process oriented, such
as changing default passwords for remote login systems and ensuring that
all card data is encrypted when it is not moving.

The adoption in the U.S. of EMV (Europay, MasterCard and Visa) technology,
also known as chip-and-PIN, should make an impact on face-to-face and lost
card fraud, King said.

Europe has long issued EMV cards, which have a microchip that uses a
cryptographic process combined with a PIN to authorize a transaction. The
microchip has yet to be forged by the criminal community, which has
primarily focused on creating forged cards from the data contained on the
magnetic stripe.

Europe has correspondingly has seen a sharp rise in card-not-present fraud
as criminals thwarted by EMV looked to collect card details that can be
used in transactions not requiring a physical card, such as over the
Internet, he said.

One positive point of the last year's troubles is that data security now
has the attention of C-level executives, as stopping data breaches also
means job security for those executives, said Stephen W. Orfei, the
incoming general manager of the PCI Council.

Also, all of the breaches of the last year could have been prevented, Orfei
said. The industry is looking at ways to "devalue" payment card data, or
modify it so that it would be useless if it fell into the hands of
criminals, he said.

One of those technologies is point-to-point encryption, which involves
encrypting card data immediately after it is collected. Many of the recent
data breaches have been attributed to malware that collects the remnants of
card data from a computer's RAM. The data would be unusable if encrypted.

Point-to-point encryption isn't mandatory in PCI-DSS 3.0, but it is a
standalone recommendation, said Troy Leach, CTO of the PCI Council. "We
have looked at the future and what version 4.0 may bring, and that is a
likely possibility," he said.

Also in discussion is wider use of tokenization, Orfei said. Tokenization
involves using a numerical representation of a real payment card number to
authorize payments. If intercepted, the token wouldn't be of use to
criminals to authorize further transactions, unlike a full card number.

"If you think about it, the technology is there now," Orfei said. "You can
actually devalue the data, and that is the end game."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!