Network News

X My Profile
View More Activity

Hackers Test Limits of Credit Card Security Standards

The number, scale and sophistication of data breaches fueled by hackers last year is rekindling the debate over the efficacy of the credit card industry's security standards for safeguarding customer data.

All merchants that handle credit and debit card data are required to show that they have met the payment card industry data security standards (PCI DSS), a set of technical and operational requirements designed to safeguard cardholder information from theft or unauthorized access.

Yet, some of the most notable data breach incidents last year targeted companies that had recently been certified as compliant with those standards, raising the question of whether the standards go far enough, or if entities that experienced a breach are falling out of compliance with the practices that led to their certification.

In a recent hearing on PCI standards at a House Homeland Security Committee panel, experts from the retail sector charged that the entire PCI scheme is only a tool to shift risk off the banks and credit card companies' balance sheets.

"The premise behind PCI -- that millions of retail establishments will systematically keep pace with the ever-evolving sophistication of today's professional hacker -- is just not realistic," said David Hogan, senior vice president and chief information officer for the National Retail Federation.

Merchants and retailers who experience a breach and are later found to be out of compliance with the PCI standards face steep fines from the credit card companies, and may eventually be forced to pay banks the costs of reissuing compromised cards.

Michael Jones, chief information officer for Michaels Stores Inc., a craft store chain, maintains that the PCI mandates were developed from the perspective of the card companies, rather than those who are expected to follow them.

For example, major tenet of the PCI standards is that hackers cannot steal credit and debit card data if retailers simply choose not to store the data. But Jones said retailers are required to store the data to defend themselves from chargebacks, a dispute that can be initiated by a bank or by a bank's customer. If a retailer cannot produce a copy of the receipt in the face of a chargeback, that retailer is forced to pay the cost associated with that chargeback, Jones said.

"This could have been fairly easily solved using a unique approval ID for each transaction, thus eliminating the need for credit card number storage by the retailer," but the credit card companies have balked at that suggestion, Jones said.

Also, while retailers that do digitally store cardholder data are required to encrypt the information, the PCI standards do not require merchants to encrypt data as it travels over their internal, private networks. This became an issue last summer, when hackers broke into the internal network of Heartland Payment Systems, a major credit card processor in Princeton, N.J. In that attack, the thieves siphoned card data by installing software that watched for and recorded card data as it was sent unencrytped over the company's internal processing networks.

"The credit card companies' financial institutions do not accept encrypted transactions" over these private networks, Jones said. "We at Michaels have asked for three years for the ability to send encrypted information to the bank. To date, this has not happened."

But Bob Russo, general manager of PCI Security Standards Council, said the council has never found a breached entity that was later found to have been in full compliance with the PCI standards at the time of a breach.

"We also recognize that the dynamic nature of any organization can render a validated system noncompliant almost immediately after a satisfactory compliance report has been issued," Russo said.

Joseph Majka, head of fraud control and investigations at Visa, said while there have been a few cases recently in which a business previously validated for compliance with PCI was a victim of a breach, "in all cases our review concluded gaps in PCI DSS controls were major contributors to the breach."

A study released this week by Verizon Business, a company routinely asked to investigate major corporate data breaches, found that in three-quarters of the confirmed breaches it investigated last year the victims were not compliant with PCI DSS or had never been audited. Another 19 percent were found PCI compliant during their last assessment.

Verizon also found that a common reason among businesses that were not compliant with PCI standards was that they failed to monitor all of their network resources or regularly test security systems and processes.

Those two findings were echoed by Nicholas Percoco, vice president of SpiderLabs, the incident response department at Chicago-based security vendor Trustwave, a company that responded to roughly 150 data breaches last year. Percoco said that in many of those cases, the attackers gained access to data through portions of the company's network that were rarely used, much less monitored or maintained.

"In many cases we investigated, the first entry points were Web pages that had 'Copyright 2005' or 'Copyright 2006' written at the bottom," Percoco said. "We talked to several entities who said they knew the sites were old and were planning to decommission them. In some cases, though, the sites had just been merged into the company's property because of some corporate acquisition, and the people in charge didn't even know the sites existed."

In addition, many of the hacks Trustwave investigated last year dealt with breaches where the attackers were present on the victim's internal networks for weeks, even months at a time. With that kind of time, attackers often will be able to write their own custom hacking tools designed to siphon financial data from the victim's computers and network, tools that could easily evade data storage protections as mandated by the PCI standards.

Percoco said his company has seen breaches involving malicious software designed to attack companies that were encrypting data as it moved from point of sale terminals to the victim's internal computer network. In some cases, the thieves intercepted card data by hacking the USB-based card readers that plug in to point-of-sale terminals, he said.

Verizon's breach report, available here (PDF), describes another advanced technique used to steal card data, called "memory scraping," which involves dumping sensitive data that is stored in a computer's memory before or after it can be encrypted.

"Criminals have re-engineered their processes and developed new tools--such as memory-scraping malware--to steal this valuable commodity," the report reads. "This has led to the successful execution of complex attack strategies previously thought to be only theoretically possible. As a result, our 2008 caseload is reflective of these trends and includes more targeted, cutting edge, complex, and clever cybercrime attacks than seen in previous years."

Regardless of the methods used by the attackers, the most important protection businesses can have in place is the ability to detect breaches quickly after they happen, said Bryan Sartin, vice president of investigations at Verizon Business.

"If there is any one thing you can always learn from a company who's been through one of these big breaches, it's the importance of the ability to react to the underpinnings of a breach before it blows up and becomes a major problem," Sartin said.

By Brian Krebs  |  April 16, 2009; 4:17 PM ET
Categories:  Fraud , Latest Warnings  | Tags: data breaches, pci, trustwave, verizon  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Glut of Stolen Banking Data Trims Profits for Thieves
Next: Creating a Public Nuisance with Insecure Web Sites

Comments

I've been involved in VPN technology for over a decade. That said, I believe retailers would do well to take a more endpoint-centric perspective on their information security. A network perspective tends to view the information assets as a blur. (But, don't neglect the network perspective entirely, much valuable insight is gained watching traffic.)

Lock-down each POS (point of sale machine), server, and/or desktop/laptop as much as practical. My company offers just the product to protect, control, and audit computers. There are other solutions, of course.

The other key: install an IPSec based VPN client (no shared secret keys, its 2009, PKI is child's play) with robust zero-split tunneling features. My company does this too. There are others.

I've opined on some similar points about plugging data leaks in the enterprise:

http://www.securitynowblog.com/security_applications/10_enterprise_data_leak_causes_remedies

Cheers,

Eirik

Posted by: eiverson1 | April 16, 2009 5:15 PM | Report abuse

As an independent security consultant who has helped many customers in PCI audits, I can say that PCI compliance is neither easy nor cheap, but the PCI DSS is one of the first attempts to make sure that IT organizations are following a minimal set of best practices. It follows that PCI compliance, by itself, is not going to guarantee your business’s safety. To do so, would require a greater focus on secure processes, for which the PCI DSS is an excellent starting point.

This is not to say that I agree with all the requirements of the PCI DSS. Some of the rules are just not effective. Anti-virus products have been highly ineffective in protecting systems from malware and other memory scraping attacks. I expect emerging technologies will like Runtime Control from Solidcore (http://solidcore.com/solutions/security/retail-pos.html) will become mainstream, as organizations try to improve their security.

Posted by: RAR2 | April 16, 2009 7:17 PM | Report abuse

Brian,

Don't forget, that the PCI Auditors, are people who have gone through a proprietary training program, that consists of a whopping two day long course, with an open book test.

I personally know PCI QSA's that don't understand networking at it's basic level, have never touched a compensating control, yet they were put forward by an ISV and QSA based company to obtain their QSA. These people are reviewing Scanning results, not understanding what the problems actually mean, and performing audits, simply by asking questions and checking checkboxes. They really don't know what they're looking at.

Lastly, I've posed the same question to 8 different QSA's and received 5 different responses. I can be reached at mr.dc0de@gmail.com

Posted by: dc0de | April 20, 2009 10:14 PM | Report abuse

I recently read a very thorough article on identifying secure online retailers/safe credit card use etc. Credit card security is a real issue that hits home with me. Here's the article though for those interested: http://www.justaskgemalto.com/en/focus/how-do-i-make-sure-web-site-safe-when-i-shop-online

Posted by: funkmasterflex57 | April 21, 2009 12:18 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company