Beyond the Heartland Incident: Is It Time to Re-Visit Old Security Models?

As just about anybody reading the security trades knows, last week Heartland Payment Systems reported that it had suffered a serious security breach. As I understand it from public reports, a malicious party planted a piece of designer malware on a key server, and was then able to "sniff" credit card numbers as they passed through. Estimates vary widely about the extent of the breach. Certainly, SB 1386 and other disclosure laws will ensure that something resembling the truth will emerge sooner or later.

Clearly, this particular incident is a serious one. Various observers have used this incident to take issue with Heartland, the PCI DSS, their auditors and more generally the process for certifying QSAs. That is all well and good, but the non-stop parade of toxic data spills makes me wonder whether we, as an industry, aren't missing a few fairly obvious points.

The first point is this: attackers are changing their targets. It is clear that payment processors, in general and Heartland in particular, was a huge and tempting target for the attackers. Why bother knocking over a lone merchant when you can go after the processing network that it, and thousands of other merchants, send all their cardholder details to? In this respect, the attack on Heartland Payment Systems (a back-end payment processor) is an improvement on the "normal" techniques for filching card data: compromising a merchant's website or 0wning a consumer's PC.

In my experience, back-end providers sometimes rely on the relative obscurity of their businesses to stay off of the front pages of the newspapers. But they no longer have that luxury. Remember the 2003 Ohio/First Energy power outage? It acquainted the general public with hitherto-obscure acronyms like SCADA and NERC. In the same way, 2009 will focus a laser-beam on payment processors, and on their central role in our credit-card driven economy. That means we'll be hearing more about what Paymentech, First Data, Alliance Data Systems et al are doing to keep cardholder data secure -- or not doing.

The second point relates to economic incentives. As I mentioned, the affected party in this case is a back-end service provider (Heartland) that most ordinary people have never heard of. Consumers don't have a choice in who their merchants use to process their payments, and they can't "vote with their wallets" to use another payment processor if they want to. Merchants, on the other hand, are motivated primarily by price. So they will select select the payment processor that costs them the least as long as they are "compliant." The incentive, clearly, is for payment processors to do the absolute minimum required to pass their PCI audits, and no more. These incentives are not aligned with the concerns of the parties with the most skin in the game: the merchants and card issuers who share responsibility for losses, and secondarily consumers affected by breaches.

This brings me to the third point: it's time to dust off an old technology. It's one that operates on the simple principle that attackers can't steal sensitive data that isn't there. Seasoned industry observers, especially the Better Living Through Cryptography crowd, will remember a stillborn payment card industry initiative called Secure Electronic Transactions. SET certainly had its problems, but the objective was noble: to prevent the need for merchants to retain cardholder data at all. It did this using double-blinded cryptography that allowed both parties (cardholder and merchant) to authenticate transactions without actually needing to transmit cardholder information.

With payment processing networks now under attack, it's time to dust off SET. How about "Son of SET?." But instead of trying to keep just merchants clean, the focus should be on removing the need for all intermediate parties to transmit, hold or process cardholder data. Ideally, only two parties should need to know the card number: the end-user and the card issuer ("the bank"). Everybody else is just a target waiting to be discovered.

Can we get there? Not anytime soon. But until we figure out how to remove toxic cardholder information from the transaction flow, headlines about hacks on merchants and payment processors will keep coming fast and furious -- PCI DSS or no PCI DSS.


re: Beyond the Heartland Incident: Is It Time to Re-Visit Old S

The blackout occurred in 2003.

re: Beyond the Heartland Incident: Is It Time to Re-Visit Old S

Amen! Why indeed should sensitive personal information be passed as plaintext through any third party system, which does not need the plaintext? Ultra bad habits from the time when we saw no IT threats.And don't undervalue the cost of the consumer. My time spent on correcting the results of a fraud against my account will never appear in a budget, but would I pay, if I knew I would never have to spend that time!SET flopped to a large part because merchants saw no need for a costly insurances against fake payments. The last ten years should have taught them that there is a pressing need.

re: Beyond the Heartland Incident: Is It Time to Re-Visit Old S

Matthew -- right you are. I'll correct the text.Viiveke -- excellent point about the consumer bearing much of the cost. However, this is one of those costs that is borne by a party with little or no say in the matter (the consumer). In a sense, it's an "externality" in the same way that, for example, pollution is. Also, good point about SET. Ultimately the only thing that will motivate the payment card industry to resurrect SET (or create Son of SET) is if the costs become too high to maintain the status quo.