Much has been made recently of the fines assessed against acquirers for merchant breaches. Visa USA’s website lists their PCI compliance fining structures, while other card brands have chosen not to publicize such figures. Word of mouth in the industry has painted a dire picture befalling those entities that have failed to protect the Primary Account Number (PAN) or have not validated compliance by the published card brand deadlines. In fact, there are two major issues that most acquirers and merchants are not familiar with that pose an even greater risk. The two challenges are those of “residual risk”
and “errant data storage”.
Errant data storage is the phenomenon in which organizations are storing data without necessarily being aware of it. This is not as uncommon an occurrence as this might sound. It is not uncommon to hear a breached entity declare that they did not know that the data was being stored. There are a number of reasons that this might occur. In some cases, interdepartmental communication may be lacking. The marketing department, for example, may decide that they are going to store sensitive customer data in order to analyze customer behavior. If they do not communicate this decision to the IT security group it is likely that such data will not be adequately protected.
Another common scenario that results in errant data storage is the inappropriate storage of sensitive authentication data by applications. For example, most POS applications are configured to default to verbose logging to assist in troubleshooting or issue resolution. In this configuration, the application will store sensitive authentication data such as full track 2 data, even after authorization. It is this situation that is particularly dangerous as many merchants are unaware that they are storing such data.
Other instances of errant data storage can result from human error.
With no malicious intent, individuals may inadvertently put their organizations at risk. An individual may turn on logging on a POS application in order to do some troubleshooting and simply forget to turn it off once the problem has been resolved. Additionally, analysts may conduct database queries that pull sensitive customer data out of the protected environment to carry out some analysis on the data. If that file is not then stored in an equally protected environment, that individual has just increased the risk to the organization.
To state the obvious, if an organization does not know they are storing the data, they cannot take steps to mitigate the risk to this
data. This is especially true in the case of magnetic stripe data.
Mag stripe data is among the data classified by the card brands as “prohibited data”. Storage of this data post-authorization is strictly prohibited by all the card brands and any company storing such data is considered non-compliant with the PCI DSS. Yet in many of the well publicized breaches of the last year, mag stripe data has been compromised. Many companies have lost this data, without being aware that they were storing it in the first place. These companies likely had this data as a result of errant storage, which in turn increases their residual risk.
Residual risk offers perhaps the biggest challenge to those organizations that store or process consumer data. It is often the case that organizations become focused on complying with the Payment Card Industry Data Security Standard (PCI-DSS) and protecting the PAN against potential breach. While the focus on protection of the PAN has been a tremendous asset to the industry, it may have led some companies to believe that compliance with the PCI DSS alone can be equated with real security or risk management. It is an unfortunate fact that many companies do not realize that the PCI DSS is only focused on the protection of the PAN. Most companies have other data that needs protecting. It is this ‘residual risk’ that companies must be aware of and address.
The exposure of prohibited data entails a much larger risk than does exposure of the PAN alone. This is due to how the card brands identify data breaches. The major card brands use a process called Common Point of Purchase. In short, the brands use sophisticated
models to track fraud back to a single or common point of purchase.
Understanding how this process works it is logical that the best way to minimize the risk is to ensure that data is not present that will result in sufficient fraud to bring the compromised merchant to the attention of the card brands. Compromise of the PAN alone will not result in sufficient fraud to allow for detection of a common point of purchase. This results when magnetic stripe or other sensitive authentication data is compromised. If a company suffers a data breach and loses only the Primary Account Number, the breach likely will go undetected unless the merchant reports the breach, as required by the PCI DSS.
On the other hand, if an entity is breached and loses sensitive authentication data the card brands will likely identify the breach before the merchant or service provider. That is because the compromise of sensitive data leads to more fraud than does the compromise of the card number alone. It is not uncommon for the card brands to actually detect the data breach and notify the merchants based upon the common point of purchase analysis. If all of the cards experiencing fraudulent activity were all used at the same place in a given period of time, it is evident that the common merchant was the point of compromise.
While the fines associated with non-compliance are often discussed, the penalties associated with the exposure of prohibited data have remained somewhat unclear. Companies need to be aware that the fines and fees associated with the breach of the PAN pale in comparison to those associated with a breach of magnetic stripe data. If an entity has been compromised and that breach includes prohibited data, the breached entity is automatically classified as an “egregious violator.” That means that the card brands will impose the maximum penalties for PCI non-compliance. This however, is only the beginning of the fees for which the acquirer will be responsible.
The storage of prohibited data is considered a violation of the card brands operating rules and regulations. Violation of those rules opens an additional level of fines that are generally not discussed in conjunction with the PCI DSS. The acquirer responsible for the breached entity may also be held responsible for reissuance fees and fraud reimbursement fees. Visa, in fact, has a program called the Account Data Compromise Recovery Program (ADCR) and MasterCard has a similar program. These programs allow issuers to appeal the card brands to recover their costs from the acquirer.
As stated, the two of the most important, but often misunderstood and overlooked, components of compliance are the issues of errant data storage and residual risk. Although some have heard compliance described lately as “putting a check in the box” these two issues drive home the importance of ongoing processes designed to mitigate their risks. With the best will in the world, compliance can be completely undermined if an application is unknowingly storing prohibited data, or an individual forgets to turn off a debugging utility. If that company is then compromised not only are they considered non-compliant, but are egregiously non-compliant and subject to all the fines and penalties associated with that status.
Fortunately, as we enter yet another new era of compliance and risk management, there are products that can assist companies in managing these twin troubles. There are now products that can help companies
find where sensitive data resides within the enterprise network.
Using these tools, companies can develop policies and processes to help them truly mitigate the risk associated with the acceptance and facilitation of payment card payments. As with all tools, however, it is important to conduct due diligence to ensure that the tool will perform as advertised. For example, if the product works at the bit level, it is able to search the environment at greater depth, returning fewer false positives and (exponentially more important) fewer false negatives. Products that rely on “regular expressions”
to find data can lead companies to believe they are not storing sensitive data, when in fact they are.
As in any situation, it is impossible to remove all risk as it is frankly impossible to know all the risks that exist. Each company must decide for itself what defines an acceptable level of risk and then take steps to manage the risk to that level. However, one must attempt to gain as comprehensive an understanding of their risk as possible. Without understanding the effects of errant data storage and the potential for residual risk in the environment, companies cannot make informed decisions about their risk management. By understanding the potential for errant data storage, and by employing tools to assist in the discovery of data that can lead to tremendous residual risk, companies can make significant strides towards reducing their overall risk profile as relates to data breaches and account data compromises.
|
