The PCI effect -- for better or worse -- following fresh breach of MasterCard, VISA

The latest data security breach to strike MasterCard and VISA has security experts focusing anew on the good and bad of PCI DSS. On one hand, the standard offers a clear blueprint on how to handle such a breach. On the other hand, compliance is usually not the cure, as this latest incident demonstrates.

"While the scope and details of the attack are not yet known, it shows three years after the Heartland Payment Systems breach of 130 million credit card numbers that credit card data is still vulnerable," said Neil Roiter, research director at Corero Network Security. "The Payment Card Industry Data Security Standard (PCI DSS) is highly prescriptive in nature, but simply complying does not ensure credit card security. Companies that rely on PCI DSS to solely dictate their security measures will continue to remain vulnerable to attack."

As many as 10 million users of VISA and MasterCard may have had their card numbers compromised in what sources in the financial sector are calling a "massive" breach of a U.S.-based credit card processor.

The news was first reported this morning by Brian Krebs in his KrebsonSecurity blog.

Ted Julian, chief marketing officer of Co3 Systems, a data loss management firm, estimates the potential liability for a merchant with 1 million cards compromised could top $1.6 million from compliance fines alone.

Krebs said the two credit card firms issued non-public alerts last week to banks about specific cards that may have been compromised in a breach of the so-far unnamed processor between Jan. 21 and Feb. 25 of this year.

"Affected banks are now starting to analyze transaction data on the compromised cards, in hopes of finding a common point of purchase," Krebs wrote. "Sources at two different major financial institutions said the transactions that most of the cards they analyzed seem to have in common are that they were used in parking garages in and around the New York City area."

In an interview this morning, Krebs said the fraudulent card use, "seemed to be tied to gang activity in New York City, but I haven't heard that from more than one source."

In the grand scheme of credit card breaches, this one does not come close to topping the list -- the Heartland Payment Systems breach in late 2008 involved more than 130 million credit and debit cards and about 175,000 merchants.

But it illustrates once again how vulnerable such systems are to attack.

Anup Ghosh, founder and CEO of Invincea, a developer of browser protection systems, says too much of the security industry is still stuck in the 1990s. "Those protections," he says, "are very easy to circumvent today. Most systems are about telling you what happened after the fact."

Ghosh says the card data was probably encrypted, in compliance with the Payment Card Industry Data Security Standard.

"But compliance as a way of regulating security is equal to complacency," he says, noting that the weak link today is not necessarily the technology, but "Layer 8," the human layer.

"If I target employees, which is how you target these days, it is not very hard in phishing campaigns, to get employees to open an email or click on a link, which then provides access to their desktop and the privileges that come with it," he says. And in that case, "Encryption is worthless."

Ghosh says the way to deal with modern attacks is to, "stop depending on employees to make the right decisions.

"We say put the employee in a bubble -- a safe, virtual environment. Then, when they're clicking on those links, they don't give away keys to the kingdom. They just corrupt a virtual environment, which actually produces intelligence for you. What you get is pre-breach forensics."

Given the present reality, however, Julian says retailers affected by the recent breach have to move quickly to comply with PCI DSS standards, to "notify consumers and brands in a timely fashion. Forty-six states have laws on the books to notify consumers if credit card information was put in harm's way. So they're scrambling to find out if they were compromised, and then they have to adapt it to the state matrix."

In an assessment model he created, Julian's list of "minimum recommended actions" includes notifying one trade organization, five state attorneys general, and 900,000 consumers in nine states, telling the credit agency of 600,000 exposures in six states, notifying local media in two states, providing other general notification and notifying five special offices in three states.

Merchants can minimize or even eliminate those fines by complying with the laws, he says, but if they don't, "they can really add up. In the (2005) ChoicePoint breach, $15 million of their $41 million in costs were from fines. And with the changes in the law since then, the fines would be much more today.

For consumers, Krebs says it doesn't make sense to demand a new card, but simply to monitor their card activity online for any suspicious transactions.

"Consumers are not on the hook for fraud charges, provided they report unauthorized activity. Having to deal with a new card can be disruptive and time consuming," Krebs says.

Read more about data protection in CSOonline's Data Protection section.

Join the CSO newsletter!

Error: Please check your email address.

More about etwork

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts