Nov 28 2011
Back when I was a Qualified Security Assessor (QSA), all of four months ago, I often explained credit card data as an infectious disease. Whatever your credit card data touches is pulled into scope, requiring the full set of Payment Card Industry (PCI) Data Security Standards (DSS) to be applied to those systems to the same degree that the systems processing the transactions are. That’s because the scope of PCI compliance is defined as “any system that stores, processes or transmits cardholder data and all systems connected to these systems“. In other words, the switch that stands between your firewall and your processing server is in scope for PCI as are all the systems attached to that switch, unless you take specific steps to control the traffic between the two systems. Thinking about the credit card data as an infectious agent makes sense, since the data infects everything it touches with the need for compliance and assessment, even though the system may have nothing at all to do with card processing and only made the error of being on the wrong network segment at the wrong time.
Lately though, I’ve begun thinking of credit card data as a cancer instead of simply a disease. Consider the fact that many security departments spend hundreds of man hours each and every year trying to segment their cardholder data environment from the rest of the network to limit the impact of the annual assessment. They modify firewall rules, implement VLAN’s, cut off access and chase down every data flow they can think of and find in order to find credit card data and prevent it from infecting systems and bringing them into scope. Yet every year the QSA comes in and finds data where it shouldn’t be and people with access to the data who have no business reason to have it. The credit card data continuously spreads and expands scope, and leaving even the littlest bit behind still offers the chance of the scope of the assessment and responsibility to the Data Security Standards.
Why does this continue to happen? As security professionals, we try hard to find out where the credit card data is at, but the reality is that all too often we don’t understand the thought processes that went into the business processes that created the data flows, and neither do all to many of the people who created the business processes. We might understand the process that takes a credit card from the customer’s browser to our web server and back to our database server, but the clearance and settlement processes are often an arcane process that we haven’t mastered and can’t figure out how to do securely with our acquiring banks. I mean, why is it that some processors still mandate that the settlement files be sent clear text over a leased line or the Internet? And getting them to change that can, very literally, take years to happen. Another process that we often forget and creates no end of headaches is the fraud control portion of the business; I’ve seen more than a few businesses that had no idea that their fraud prevention team had either full access to the cardholder database or had a portion of the feed that included credit card numbers sent to them daily or weekly. And since these teams weren’t considered during the original scoping, it often means a whole new section of the business that has to be considered and remediated, costing valuable time and money.
Another factor is how little it costs a department to ask for a stream from the database and how strongly they’ll defend it once they have the data. I’ve run into many departments in the past that had little or no immediate need for accessing credit card data, but wanted every bit of the information from the web server and point of sales devices, simply because it might one day be valuable to them. And even if the data is being used now, if there is some value for them to have it today, all to often that department isn’t the one that’s actually paying the cost of processing and storing the data; the IT or Security department received a mandate to make to make the data available and no additional funds were provided to secure the cardholder data in a manner compliant with the PCI DSS. Good luck getting them to pay for something they’ve had access to for years or give up this access, despite the fact it might cost the company millions and have almost no real return on investment.
So how do we excise the cancer that is credit card information from our enterprises? I know it’s a bit cliched to say it, but we still need to understand our businesses better. Yes, our managers are getting better at talking to their managers, but the fact is, when you get down to the actual data flows, managers are simply a set of filters that help the people who’re doing the actual work misunderstand each other better. It’s just as important to understand the overarching business flows as it is to understand the actual tables and fields that are being copied from one database to another. Digging into the nitty gritty of each data transformation and export to another department’s database is hard work, made harder by the fact it’s changing all the time. Managers need to set the policies and procedures that dictate who has access to data, including the where and why, but the line level security folks need to be able to track down the data flows and enforce the policies set up by the people higher in the chain of command.
Departments also need to understand that there is a cost, associated with cardholder data and need to be made to bear that cost directly. As long as they simply have to ask for the data and work the political process to get it without paying a fiscal cost, they well. Policies and procedures are easy to circumvent if a someone in Marketing or Sales puts their mind to it, but when that same person is given a price tag for the data, the need often disappears or becomes something much more manageable and doesn’t include the cancerous data like credit card numbers and expiration dates. This is a step that only management can take and in many organizations it’s incredibly difficult, since the concept of having to pay for data is foreign to most of the business. But as long as someone else is paying for it or the cost of data is indirect, people will continue to ask for it.
The real, long term cure to the credit card cancer is to change the rules of the game so that businesses never have access to the credit card information to begin with. Face it, as long as a single record remains on your enterprise, someone will find a way to get access to it and spread the contagion from system to system. The solution that’s available to businesses today are various forms of tokenization. First, on-site tokenization allows businesses to create a ‘toxic waste dump’ in their environment with strong controls around it and only people who have demonstrable business reason are allowed to detokenize the data. Since there is a more limited number of people who have access in this environment, training on how to treat the data with the caution and respect it deserves is much easier to deliver and enforce. Plus definitive consequences for treating the cancer causing data unsafely can be enforced when only a limited, educated group of people are allowed to have it.
Even better is to have the data tokenization is having someone else handle credit card authorization and settlement and never let credit card data touch your network in the first place. Most of the acquiring banks now have partnership with PIN pad manufacturers now with end-to-end encryption built in. The stores are encrypting the cardholder data as it’s swiped and the register and they either have no access to the credit card information or only have access through a separate backend system. Online merchants are making more and more use of outsourced payment systems, which also prevent cardholder data from entering enterprises and small businesses alike. Several of these solutions offer ways to tokenize cardholder data as well.
When it’s all said and done though, it’s the credit card processing system that has to change, not just how businesses treat credit card information. We need to modify and re-engineer how we take credit cards and remove the monetary motivation for the attack (and defense) on credit card data. If credit card information has no value for an attacker then attention will shift elsewhere and the security department will once again be able to concentrate on securing the entire enterprise rather than just a small portion that has a compliance measure behind it mandating minimum security standards. Of course, then we’ll have to worry about what we can use to get funding from management to secure the rest of the business.