Q&A: Chris Justice of Ingenicoby Steve Ragan - Jan 7 2010, 22:00
The Tech Herald (TTH): Now that the holiday season has concluded what are the threats that merchants and/or consumers need to be aware of?
Chris Justice (CJ): Retailers generate a significant amount of their revenues during the Holiday Season. Much of that revenue is generated through the consumer’s use of credit and debit cards. During the 4th quarter, merchants obtain a massive amount of cardholder data, which means that electronic intrusion by unauthorized persons (hackers) may increase during the 1st quarter as employees strive to take a breather from the Holiday workload.
Data-at-rest, where cardholder data is sitting still within log files and databases, is most vulnerable and the leading cause of security breaches. Yet, many of the most notorious breaches of recent date have come from attacks on data-in-flight, where nefarious software plucks data as it travels through the wire and sends that data to the hacker.
To secure the data in flight, retailers should focus on encrypting data at the outer edges of their network by installing systems that encrypt within the card reader. To protect data-at-rest, the retailer should consider a tokenization system that replaces useful data with a proxy element that contains no real value to anyone outside of the payments value chain.
TTH: On the topic of holidays, what were some of the concerns merchants faced recently? What can they do to address them in the future?
CJ: Retailers were primarily concerned with sales forecasts as economic conditions remained stagnant. Putting an all out effort to lure new customers sometimes means that security concerns take a back seat to other initiatives. While the Holiday Shopping Season has a deadline - hackers don’t.
Since security tends to be more of an arms race, when one side loses focus on the race, the other side often wins. Small vulnerabilities in a retailer’s network or infrastructure can often be capitalized upon to create big opportunities for thieves who gain access to cardholder data.
TTH: What type of technology or policies should organizations have in place to address their security concerns?
CJ: Several technologies are important in helping to thwart the efforts of hackers. Encryption at the point of swipe (use reference above), tokenization (above), and data leakage tools that help to identify rogue data storage locations. Security is more than just a focus on technology. It requires a focus on people and processes as well.
Clearly, cardholder data must be tracked in its various forms throughout the infrastructure, it must be contained (segmented), policies must be created to limit access to sensitive data, network policies require almost constant evaluation and monitoring, If security were a baseball game, retailers must hit the ball 100% of the time when it’s pitched in order to win the game. For the hacker, they simply need to hit the ball once in order to win. Thus, retailers must always be more vigilant of their infrastructure to ensure success.
TTH: Considering all you have said, name three things to keep in mind about security.
Hackers have got to live too (what can the rest of us do?)
Technology is advancing rapidly. Yet, too many retailers have failed to focus on security more than compliance, the process of simply checking the boxes. Therefore, as sophisticated retailers harden their systems, the hackers move to less sophisticated, less secure merchants in order to hack. Hackers have built a billion dollar industry from stealing data; they simply aren’t going to go away. They will continue to innovate and find the weakest link in the chain to exploit.
Being secure does not make you compliant: (how to succeed in both areas)
The PCI standards, commonly called the Digital Dozen, contains more than 250 sub points. In order to become compliant with those standards, many retailers have resorted to checking the boxes. While checking the boxes may help, a retailer needs to consider the intent of the standard. Therefore, it’s not always necessary to check all of the boxes to create a more secure environment, which is the point of the standard - create a secure environment.
The best way to address PCI is to reduce its scope. Properly segment the network to reduce the number of systems and people who can access cardholder data. Use tokenization to eliminate the storage of data wherever possible. Use tokens and the identifier for back office systems that require cardholder data in order to operation. Tokens can be used as replacements for card primary account numbers (PAN) or simply used to generate proxies for cardholder data within each transaction.
For more information on Ingenico, head here.