So What? Does the Hannaford breach infer PCI is a waste?

This question has been on my mind for a few weeks, and I wanted to stir the pot a bit.

Hannaford was PCI compliant at the time of the breach, so what does this really mean?

Should a company spend millions up front, when it was documented that even though they were compliant, they had to spend millions more after the fact?

What does that say about the standard itself?

What fines are going to be handed out? Is proving PCI Compliance the 'Get out of Jail Free' card and so no fines will be doled out?

If I am a company, and have followed this one, why spend the money on getting PCI compliant when it appears that even if I am, the only downside is no fines. And if the fines are less than the remediation PLUS the compliance process, what's the value to me as a business of getting compliant, vs taking out an insurance policy for $300/record at risk?

Thoughts?

pcistuff @ gmail.com

Is PCI a Scam?

I had to ask myself this question after two years working with clients to help solve their PCI issues and seeing only a handful of fines being handed out to the poster children of a breach. Here is why I pose the question...

If I am an issuer of cards, why is it good business to bite the hand that feeds me in levying fines against those organizations who provide me revenue? Is the revenue that gets generated more fraudulent than legitimate so it is in my best interest to shut down the source of the fraud? If there was that much fraud because of the identity theft that is associated with fraud, isn't there anything else that the issuaing card companies can do besides hand out fines. It just seems like it is adding insult to injury.

If I am a level 2, 3, or 4 merchant, and I look at what it will cost me to get compliant both in terms of technology and access to expertise to implement a solution, why wouldn't I roll the dice and wait to be shut down, especially if the cost of compliance puts me out of business? I will say for the record that the level 2,3, and 4 merchants are the most at risk for a breach because of their restricted access to capital and expertise and that ability to pay for it, so they are in a no-win situation, are they not?

If I look at what the core of the issue is, it is the databases used to store data. So why not lock down, encrypt, and render virtually inaccessible the records in said databases and leave it at that? Why not simply say that IF you store data (not a great idea but I know organizations do it), be sure it is encrypted all the way down to the cell level. It won't matter if I can get access to the database and copy it since it will be rendered useless unless I have access to some serious computing power.

Can't the card companies incent Oracle, Microsoft, etc. to ship the encryption with their databases out of the box to make this happen?

Ouch!!! TJX Bank gets Whacked

This was what we've all been waiting for (ok maybe it's just most of us) - how the Ecosystem of a Breach affected by said breach?

In this case the Bank was hit with an $880,000 fine, $500,000 of which was the 'You knuckleheads' portion, and the other $380,000 went to the 'WTF are you serious, you can't be that stupid?' portion IMHO.

I wonder if anyone has contacted Bob West who was at Fifth Third and responsible for Security prior to the breach and then left to start Echelon One consulting. Scott Blake is another guy I know over there from Liberty Mutual Insurance and was formerly their CISO so hopefully this experience has given them something to research and help others with.

Stay tuned for more coverage...


By Ross Kerber, Globe Staff | October 29, 2007

Visa USA issued $880,000 in penalties against a bank that processed transactions for TJX Cos., after an investigation of a computer hacking incident at the retailer.

The figure is described in court filings that recently have painted a clearer picture of the consequences for TJX of Framingham after its data network was breached by an unknown intruder operating through last year.

TJX, the parent of such stores as TJ Maxx and Marshalls, faces claims from banks that reissued cards in the wake of the breach that it failed to maintain adequate computer security.

At the same time, TJX struck back in its own recent filing, denying the main allegations and faulting banks for failing to press for tougher card-security standards, mirroring complaints by other retailers.

"The compromise presents a substantial risk to Visa and its members," states a June 22 letter from Visa, marked "highly confidential." The letter, now an exhibit in the case, is signed by a vice president of Visa, the biggest payment card network, and written to Fifth Third Bank in Cincinnati, which is also being sued. Both the letter and the TJX response were made public late Friday on the electronic docket system for Federal District Court in Boston.

In another filing the same day, a Visa security official stated the incident amounted to "the largest data breach in the payment card industry," at least double the size of any in the past. Last week a filing put the number of affected accounts at more than 94 million, according to card networks, twice the figure of at least 45.7 million TJX had given in the past. Ninety-five percent of those numbers had expired by the time the breach was discovered late last year, TJX has said.

A Visa spokesman yesterday said he could n't immediately comment. A spokesman for Fifth Third did not return messages yesterday afternoon.

TJX spokeswoman Sherry Lang said the fines are being appealed and noted TJX's own filing on Friday that denies wrongdoing. Among other things, it states that the plaintiffs themselves were at fault because as members of the Visa and MasterCard networks they failed to press them to implement security measures such as computer chips and personal identification numbers to reduce fraud. Any losses would be offset by credit card profits, the filing states. It also notes a judge has dismissed a negligence claim in the case.

Card companies have struggled to increase the focus on security standards among banks and merchants.

On Friday, Lang said the company now complies with the data security standards.

Visa can levy fines when merchants don't meet the rules, but they generally are imposed on the banks that process transactions. Fifth Third could potentially pass the fine onto TJX.

According to the Visa official's letter, the investigation found Fifth Third itself wasn't following certain security rules that the bank and its merchants must meet.

The fine was determined in two parts. First, Visa assessed what it called an "egregious fine" of $500,000, "due to the seriousness of this security incident and the impact on the Visa system."

In addition, Visa levied fines totaling $380,000, retroactive to October 2006, for what it called "TJX's failure to cease storing prohibited data" by Sept. 30, 2006. This apparently is a reference to stored customer credit card numbers that were later compromised in the intrusion.

Ross Kerber can be reached at kerber@globe.com.

Oracle's Database Vault

I had the chance to sit down with Oracle yesterday and discuss what their role in PCI compliance was and was pleasantly surprised when the topic of their Database Vault product came up.

The thrust of the offering is to encrypt and protect data at rest so that your DBA's don't know your financial results before the CFO does. It will take protection from the port of the app into the column level and this is pretty slick for a number of reasons:

1. It gives fine grained access control and auditability inside the database where all the juicy information is stored.

2. It will encrypt and fuzz the data so that you can only see subsets (i.e. last four of a social security number, etc.) of the data tied to a recored (PAN).

3. It is a proactive policy based mechanism for where the sensitive data is, and goverened by policy so once policy is set, access to data is too.

The one question I asked that has serious ramifications (good ones) was - is the Database vault product considered and validated as an application layer firewall for databases. No answer yet, but I'll keep the community updated.

pcistuff@gmail.com

New Frontiers...

It's been far too long since I have contributed something meaningful on my PCI blog and I felt compelled based on some work I am doing now, to finally post something with some interesting implications.

In the past 5 years, having spent a great deal of time in the identity management and compliance space the one thing that is repeatedly being talked about is the cost/benefit trade off of compliance. Historically the companies I've worked directly with are spending millions on relatively undefined compliance laws and are having a hard time figuring out how to pay for all of this imposed regulation designed to provide accuracy and transparency of financial information.

The PCI Compliance specification is the first piece of compliance directive that was designed by those in the industry vs. lawyers and politicians and it is because of this approach that I believe it makes more sense than some of the other stuff out there - HIPAA and SOX specifically. It also outlines the downside of not paying attention to the intent or implementations of controls and what they are designed to do. Way to go on clarity.

The one thing that I am starting to have discussions with companies about is how will PCI ultimately be enforced? Will it be auditors' responsibility to blow the whistle? Will it be based on the materiality of the gaps in their PCI program.

To this end I am working a lot of hours on designing PCI as a service. The biggest reason driving this is cost and where the costs hit a balance sheet. There is a fair amount of infratsructure cost tied to PCI if you're behind the times, and the operational controls and expertise on an ongoing basis are anothing thing to consider since PCI is not an event but something that ultimately must be baked into an organization's operational DNA.

What organizations are trying to figure out is how do they keep the capital infrastructure expenses low, and work with companies to provide not just auditing but ongoing compliance. Stay tuned for my thought on this in the next few weeks as I am close on a way to do this.

Mark MacAuley

pcistuff@gmail.com