Posted by Andrew Jaquith on January 27, 2009
As just about anybody reading the security trades knows, last week Heartland Payment Systems reported that it had suffered a serious security breach. As I understand it from public reports, a malicious party planted a piece of designer malware on a key server, and was then able to "sniff" credit card numbers as they passed through. Estimates vary widely about the extent of the breach. Certainly, SB 1386 and other disclosure laws will ensure that something resembling the truth will emerge sooner or later.
Clearly, this particular incident is a serious one. Various observers have used this incident to take issue with Heartland, the PCI DSS, their auditors and more generally the process for certifying QSAs. That is all well and good, but the non-stop parade of toxic data spills makes me wonder whether we, as an industry, aren't missing a few fairly obvious points.
The first point is this: attackers are changing their targets. It is clear that payment processors, in general and Heartland in particular, was a huge and tempting target for the attackers. Why bother knocking over a lone merchant when you can go after the processing network that it, and thousands of other merchants, send all their cardholder details to? In this respect, the attack on Heartland Payment Systems (a back-end payment processor) is an improvement on the "normal" techniques for filching card data: compromising a merchant's website or 0wning a consumer's PC.
In my experience, back-end providers sometimes rely on the relative obscurity of their businesses to stay off of the front pages of the newspapers. But they no longer have that luxury. Remember the 2003 Ohio/First Energy power outage? It acquainted the general public with hitherto-obscure acronyms like SCADA and NERC. In the same way, 2009 will focus a laser-beam on payment processors, and on their central role in our credit-card driven economy. That means we'll be hearing more about what Paymentech, First Data, Alliance Data Systems et al are doing to keep cardholder data secure -- or not doing.
The second point relates to economic incentives. As I mentioned, the affected party in this case is a back-end service provider (Heartland) that most ordinary people have never heard of. Consumers don't have a choice in who their merchants use to process their payments, and they can't "vote with their wallets" to use another payment processor if they want to. Merchants, on the other hand, are motivated primarily by price. So they will select select the payment processor that costs them the least as long as they are "compliant." The incentive, clearly, is for payment processors to do the absolute minimum required to pass their PCI audits, and no more. These incentives are not aligned with the concerns of the parties with the most skin in the game: the merchants and card issuers who share responsibility for losses, and secondarily consumers affected by breaches.
This brings me to the third point: it's time to dust off an old technology. It's one that operates on the simple principle that attackers can't steal sensitive data that isn't there. Seasoned industry observers, especially the Better Living Through Cryptography crowd, will remember a stillborn payment card industry initiative called Secure Electronic Transactions. SET certainly had its problems, but the objective was noble: to prevent the need for merchants to retain cardholder data at all. It did this using double-blinded cryptography that allowed both parties (cardholder and merchant) to authenticate transactions without actually needing to transmit cardholder information.
With payment processing networks now under attack, it's time to dust off SET. How about "Son of SET?." But instead of trying to keep just merchants clean, the focus should be on removing the need for all intermediate parties to transmit, hold or process cardholder data. Ideally, only two parties should need to know the card number: the end-user and the card issuer ("the bank"). Everybody else is just a target waiting to be discovered.
Can we get there? Not anytime soon. But until we figure out how to remove toxic cardholder information from the transaction flow, headlines about hacks on merchants and payment processors will keep coming fast and furious -- PCI DSS or no PCI DSS.