The Forrester Blog

Visa just announced the expansion of their No Signature program. Citing its "popularity", Visa notes that: "According to a Visa Inc. survey, 69 percent of participants surveyed cited either convenience or speed as the primary reason for using their credit or debit card."  Wow.

What this seems to signal is that Visa, and perhaps the other card brands, feel that they will make more money by eliminating barriers to the sale, such as the 2.2 seconds needed to sign your name, than it would lose in fraudulent transactions, considering this program is for transactions of US$25 or less. Also, it appears that people no longer know how to sign their names.

I have often heard (in low, barely audible whispers) that US consumers were too lazy to care about security, which is why the US will probably never have CHIP and PIN transactions for enhanced credit card authentication.  We Americans are too darn busy to push 4 numbers on a key pad (4.3 second).  This drives folks in the other parts of the world crazy as they are in love with CHIP and PIN and, mistakenly, think that this technology eliminates all transaction risk.  CHIP and PIN cards still have a mag stripe that can be scanned, and skimming is still a problem. It's a great authentication method, however, and would really help reduce some of the smaller, card-present CC frauds were we to adopt it.

Americans need more paranoia about credit card theft. We are much more likely to suffer some type of credit card fraud or be affected by a major credit card breach than a terrorist attack, but for some reason we are unwilling to punch in a few numbers to help protect ourselves.

The Attorney General of New York is investigating a large group of online retailers to see if they have been sharing your credit card data with third parties without your knowledge or permission. In a press release, the AG's Office details the scheme, including the fact that you may unknowingly be giving someone other than the retailer you are shopping with your credit card number:

"Information about joining the membership program and its ramifications, including the fact that the consumer is agreeing to transfer his or her credit or debit card account information, is buried in fine print and cluttered text."

My gut tells me that this violates the spirit, if not the letter, of the PCI Data Security Standard.  According to the PCI DSS:

"Additionally, merchants and service providers must manage and monitor the PCI DSS compliance of all associated third parties with access to cardholder data."

It is probably safe to assume that the business agreement around the data sharing identified by the New York AG's office did not include language surrounding PCI compliance.
An MSNBC story on the investigation puts it this way:

In my ongoing work with clients, I try as often as possible to stress the importance of flexibility in GRC programs. Internal processes and technology implementations must be able to accommodate the perpetually fluctuating aspects of business, compliance requirements, and risk factors. If GRC investments are made without consideration for likely requirements 1 to 2 years down the road, decision makers aren’t doing their job. And if vendors don’t offer that flexibility, they shouldn’t be on the shortlist.

News outlets over the past year have given us almost daily examples of change in the GRC landscape. The recent stories coming out of Davos have been no exception... giving us some truly fascinating debates on the necessity and detriment of regulations. As quoted in a Wall Street Journal article on Sunday, Deutsche Bank AG Chief Executive Josef Ackermann argued against heavy-handed regulation, saying, "We should stop the blame game and we should start looking forward... if you don't have a strong financial sector to support the this recovery... you're making a huge mistake and you will regret that later on," he said. French President Nicholas Sarkozy summed up the opposing argument in his keynote, explaining, "There is indecent behavior that will no longer be tolerated by public opinion in any country of the world... That those who create jobs and wealth may earn a lot of money is not shocking. But that those who contribute to destroying jobs and wealth also earn a lot of money is morally indefensible."

Several clients have recently been asking about "Virtual Network Segmentation" products that claim to segment networks to reduce PCI compliance. They may use ARP or VLANs to control access to various network segments.  These type of controls work at Layer 2 and the hacker community is well versed at using tools such as Ettercap or Cain & Abel to bypass those controls.  We've recently written about Network Segmentation for PCI as part of the PCI X-Ray series.
While rereading the PCI Wireless Guidance document, I came across this nugget that puts a nail in the coffin of using VLANs as a security control:"Relying on Virtual LAN (VLAN) based segmentation alone is not sufficient. For example, having the CDE on one VLAN and the WLAN on a separate VLAN does not adequately segment the WLAN and take it out of PCI DSS scope. VLANs were designed for managing large LANs efficiently. As such, a hacker can hop across VLANs using several known techniques if adequate access controls between VLANs are not in place. As a general rule, any protocol and traffic that is not necessary in the CDE, i.e., not used or needed for credit card transactions, should be blocked. This will result in reduced risk of attack and will create a CDE that has less traffic and is thus easier to monitor."