The payments industry has been divided for far too long. On one side of the divide are those that understand data and information security. On the other side are those whose experience has given them a deep understanding of the payments industry, its business needs and objectives. In order to adequately protect the consumer data on which the payments industry thrives, there must be a melding of the two camps.
Security has become a cornerstone of most companies in the industry. It has ceased to be a luxury and become a necessity - much as the telephone did in the earlier twentieth century and the Internet in the late twentieth century. A focus on security assuages fears of partners, investors, consumers and legislators while providing protection against very real threats and mitigating the risk companies face when data is compromised. The PCI DSS, in concert with the increased legislative focus on consumer data security and privacy, have, in essence, created a de-facto new profession: the Payment Security Professional.
The latest, well publicized data breach involving an east coast grocery store chain has brought to light numerous concerns around the protection of the data that is resident in payment systems. Several analysts have speculated about the inconsistency in interpretation of industry standards and of basic data security principles. Are the assessors using a risk-based approach to security, or are they using a check-list approach (i.e. Do they have a Firewall? Check)? All of these are valid concerns and bring industry observers to a startling conclusion: The way to increase the overall security of the industry is to stop behaving as adversaries and began acting as allies.
As with any nascent profession, there are vast differences in experience and education to overcome. Individuals that have little experience in the payments industry yet understand information security are granted wide discretion with respect to determining compliance with company and regulatory governance. The result can be that good security decisions are being made, but to the detriment of the business in general. Conversely, if decisions are left to those with vast industry experience, but no knowledge of data security there exists the danger that the security protections in place may not be commensurate with the risk. It is a reality of business that operational efficiency and information security will always be at odds. Without an understanding of how to achieve security while enabling business most companies will take the path of least resistance. Unfortunately this often results in focusing on operational efficiency while 'rolling the dice' on security.
Payment Security Professionals must marry the two knowledge domains to be able to make viable security decisions that uphold and enable the business objectives. This requires increased collaboration among those that are charged with the security function in the industry, whether they be consultants or risk managers.
One of the primary challenges in securing consumer data in the payments industry is that of consistency. Consider the example of a project manager charged with overseeing a new merchant service offered by an ISO. The project manager may have an understanding that security measures should be a consideration. For that reason, the PM involves both the internal IT Security Group and an outside third party for validation of the security strategy. The internal security group, having an understanding of industry norms and security has created a plan to ensure that security is considered but does not become a roadblock. The external consultant, on the other hand, suggests a number of measures that may increase the security of consumer data, but renders the new service non-viable - it cannot accomplish its objectives. The issue is that the two groups have varying definitions of security, though they are trying to achieve the same objective - i.e. securing customer data.
The problem is the disparity of experience between the two groups - the internal group has a vast understanding of the industry, but perhaps not as deep an understanding of security. The consultant
is focused on security to the practical exclusion of the business needs. The two groups become entrenched on opposite sides of an issue which becomes increasingly contentious. This problem can be compounded by the fact that it is not uncommon, in situations similar to the one described above, for the ISO to ask another external party to render a judgement on the suggested solution and get a different opinion. The circumstance here is not that either side is being unreasonable, but that the parties do not have a common base of experience from which to make these important judgements. It is suggested the solution can be summed in the following three words, "consistency through collaboration."
At the end of the day, everyone has the same objectives with regard to protecting sensitive data. However, the trend has been for the various constituent parties within the payments industry to hold their knowledge or experience close to the vest. The notion that sharing knowledge may somehow diffuse expertise or some other perceived advantage. There often appears to be an inherent distrust between parties. Consider a company that has a marketing group that has had access to cardholder data for years. They may be concerned that letting their access be known will then cause the company to restrict their access to data which they believe is needed for their job. At a minimum they expect to have numerous hurdles to jump through to continue accessing such data. The result is that unless the access is known or discovered, the marketing group quietly goes about their business hoping to please 'plausible deniability' in the event it is discovered. Even people that are not security experts can see the risk with the described situation.
The result of such a lack of collaboration is that everyone suffers to some degree - the industry is challenged to maintain data security, the consultants are seen as imposing security without understanding the industry, and the consumer is left with media reports of inadequate security, an uncaring industry and increasingly frequent data breaches. It is simply an untenable situation although one that is fairly common in nascent industries. Another example of industries that heavily regulated in a short period of time is that of the food and drug industries. Upton Sinclair's publishing of The Jungle, compelled the US Government to enact The Food and Drug Act in the early 1900's. Suddenly companies that had operated without any regulation found themselves answering to safety inspectors.
The negative conception of the industry referenced previously is reinforced by stories such as the recently publicized data compromise involving a large grocery store chain. In reading the media reports of the event, one can imagine each of the parties involved vehemently placing blame on the other. One side claims it was the retailer's fault. Another side claims it was the consultant's fault and finally, other claims that it was the industry at large's fault. The "blame game" that frequently follows a publicized data compromise does little but reinforce the negative impression of payment security. In fact, each compromise can, and should, be used as a learning experience for everyone in the industry. What went wrong? How did the breach occur? How was it detected? At what point in the process, if any, was a potential vulnerability overlooked? What steps can be taken to mitigate the likelihood of a similar breach in the future?
Breaches, thankfully, are not the only learning experiences available to Payment Security Professionals, though. Collaborating with others in the profession, sharing expertise and offering knowledge allows the profession to establish a baseline of understanding (both of security and of the industry). More importantly, a shared understanding of security practices and business objectives goes a long way to establishing consistency in the interpretation of industry and government regulation.
This is a pivotal point in the evolution of the Payment Security Professional. There is the beginning of a trend in which individuals which are charged with the protection of consumer data, be they internal risk or project managers or external consultants, are seeking to expand their knowledge. By sharing experiences and knowledge, the Payment Security profession can evolve beyond a game of "one-upsmanship" to a consistent, collaborative approach to the betterment of data security in the industry.
|
