The everyday consumer assumes that when they make a purchase, either online or in the checkout line, their card data is handed off to a trusted source, with security in place to protect them. They don’t see the complicated ecosystem that exists to process that transaction, nor fully understand the security mechanisms that may or may not be in place. To them, a transaction is a swipe of card, a signing of receipts (or entry of a PIN) and the swift deduction of funds from their account. It’s clean, simple and efficient.
The rotating door of data breaches with large retailers is proof that security in the payment ecosystem is anything but simple. Not only do they understand the potential harm of a breach to their own business, but they invest heavily in security mechanisms to prevent breaches from happening. With an estimated 110 million customer records stolen in one breach alone, it’s clear that the security strategy retailers are following is ineffective.
The Gap Between Compliance and Security
Retailers are subject to a myriad of compliance requirements around how to handle customer data and process transactions. The most significant of these requirements is called the Payment Card Industry Data Security Standard. Published by the Payment Card Industry Security Standards Council (PCI SSC), the leading compliance body for merchants and processors, PCI DSS outlines a set of 12 requirements for security that covers the construction and maintenance of secure networks, the protection of cardholder data, implementation of a vulnerability management program, guidelines for stronger access controls, the monitoring and testing of networks and the establishment of an overarching information security policy. But PCI DSS fails to address some key areas of vulnerability in the payment ecosystem, and these areas have been exploited with disastrous consequences. With many retailers spending more than $8 million to ensure their payment ecosystem complies with PCI DSS, it should come as no surprise that they are hesitant to invest heavily in additional security solutions. Hopefully the continuous drumbeat of retail breaches, each costing millions of dollars and significantly harming relationships with customers, will serve as a wake-up call for retailers who view compliance with PCI DSS as “good enough.”
Securing Payment Data in the Event of a Breach
What all this illustrates is that we need not focus on breach prevention, but on a security strategy that places the security of data at the forefront. This approach to data protection is referred to as securing the breach. Securing the breach means protecting sensitive data wherever it exists and limiting access to this data even when it lives in an uncontrolled, untrusted environment. We believe that encryption is the only truly effective way to secure data when a breach has occurred.
A lot has been written about encryption as a solution to the attacks that we have seen against retailers like Target and Neiman Marcus. Usually when encryption is discussed, it is related to a specific point of vulnerability that was exploited in the attack. The reality is, a successful transaction relies on a complicated ecosystem with many potential points of vulnerability; the ecosystem is only as strong as its weakest link. This payment ecosystem also involves several parties including the merchant, acquirer, switch and bank or card issuers.
Securing Devices at the Retail Point of Interaction (Point of Sale)
Building secure payment networks simply focusing on the four parties previously mentioned is still not enough. When we look at the payment ecosystem from a security perspective, we actually need to extend the scope to include the manufactures of payment terminals at the point of sale and developers of payment application software. Payment terminals, or point of interaction (POI) devices, have been around for decades. Like many devices, they have evolved to come in many different forms, with wide ranges of features and new methods of communication. POI devices are more connected than ever before, and this makes them an even more appealing target for an attacker. For this reason, many POI device manufacturers have begun to use a method of encryption to issue unique identities to payment terminals. This method, called code signing, provides a way for the manufacturer or payment application provider to identify a terminal and secure push updates to the POI device in the field. Without code signing, an attacker could impersonate the manufacturer and deploy malware that could steal customer data right from the POI device.
The Target breach illustrated another area where additional encryption mechanisms related to the POI device are needed. You see, when credit card data is captured at a POI device it is traditionally sent in plain text, in the clear, to the point-of-sale system, meaning a hacker with the means to listen to the transmission would get all of the information on the card in an unencrypted state. For years, this vulnerability has been overlooked, as many Point-of-Sale (POS) systems provide encryption or tokenization after receiving the data. It can be overlooked no longer, as the ability and sophistication of hackers to skim and sniff POI-to-POS traffic is far beyond what was once thought possible.
A new breed of POI terminals is becoming available in the market. These terminals enable something called Point-to-Point Encryption (P2PE). P2PE encrypts card data from the earliest possible moment of its capture, and ensures that data remains in an encrypted state consistently until it arrives at the payment gateway. This approach, which was defined by the Payment Card Industry Security Standards Council (PCI SSC) is the cleanest approach to transaction protection introduced to date. In fact, many merchants are considering P2PE not only for its security, but also because it can effectively remove some of the merchant’s own security infrastructures from the scope of compliance with regulations such as PCI DSS.
These days just about every brick and mortar retailer has an eCommerce site. The growth of online shopping has made a retailer’s Web storefront integral to their success or failure. Securely capturing and processing consumer data via the Web poses different, but equally as challenging issues to what we see in the traditional retail environment.
In the case of eCommerce, the end retailer loses control of a large portion of the transaction interaction with the customer. Customers come to the Web storefront from different devices, operating systems and Web browsers, yet the retailers need a way to protect their customers’ data from the earliest possible moment. This is achieved by creating an encrypted tunnel, or session, between the consumer’s device and the retailer’s eCommerce system.
Retailers today depend on what’s called the secure socket layer (SSL) to provide this tunnel of encryption. SSL is a security protocol that enables two computers to establish a secure, encrypted communication session to allow private information to be transmitted across open networks such as the Internet.
Encryption: Only as Secure as the Security of Encryption Keys
We have discussed several different areas in which encryption can help to secure customer data, even when a retailer experiences a breach. It is important to note, however, that encryption solutions are not all created equal. Encryption relies on cryptographic keys to encrypt and decrypt data. The management of these keys and protection afforded to those keys is just as important as their use in various stages of the payment ecosystem. A sound key management strategy will include specific methods of limiting access to keys, defining how those keys are issued and distributed, and providing protections for the keys as they are stored. Without these considerations, keys could be copied, modified or even impersonated by a skilled hacker, who then may be able to access cardholder data.
Sign up for our free weekly e-newsletter for more GRC articles, job postings, GRC events, white papers & more…..click here
Paul Hampton is Payments Product Manager for SafeNet, overseeing the development and strategy of payment encryption products and solutions. Mr. Hampton has 12 years of experience in the information security business and has previously held positions at Rolls-Royce and Citigroup. He holds a BS in Computer Science and Business and the CISSP and CISM certifications.