Payment Card Industry Swallows Its Own Tail

By Anthony M. Freed, Information-Security-Resources.com Financial Editor

PCI DSS, the self-regulatory set of guidelines that the payment card industry and retail merchants use to encourage financial information security, may well have entered it’s death throes Tuesday, as evidenced by revealing testimony during the House of Representative’s Committee on Homeland Security hearings.

Why the dire prognosis?

Anyone who has been following the cascade of security failures plaguing the payment card industry in the last year, and punctuated by the still-shrouded breaches at RBS WorldPay (RBS) and Heartland Payment systems (HPY), has to acknowledge that there are major problems with security that need to be addressed pronto.

But the greatest threat to the survival of PCI DSS (Payment Card Industry Data Security Standard) may not be the ever-evolving tactics of the criminal hackers intent on a “big score,” but instead the dysfunctional nature of the relationships between the very parties the standards are meant to serve.

The squabbling and finger pointing displayed during the first quarter of 2009 within the industry itself has resulted in nothing less than a public relations nightmare in my opinion, as major card brands, processors, and merchants each seek to deflect responsibility onto the others.

Someone on the sidelines, intently watching the game, would have to wonder what the heck these people are thinking.

First, RBS WorldPay and Heartland maintain that because they had been PCI DSS compliant at some point before their systems were breached, they can essentially shrug off any any culpability for the security lapses, offering only the caveat that they are doing the best they can with what they have.

Almost simultaneously, the PCI Security Standards Council was staunchly asserting that no company that suffers a breach can be considered PCI compliant – regardless of their being listed as in good standing with the council at the time of the breach.  From Securosis.com:

Businesses that are compliant with PCI standards have never been breached, says Bob Russo, general manager of the PCI Security Standards Council, or at least he’s never seen such a case. Victims may have attained compliance certification at some point, he says, but none has been in compliance at the time of a breach, he says.

Visa (V) echoed this sentiment in an interview with BankInfoSecurity.com:

“We’ve never seen anyone who was breached that was PCI compliant,” Phillips says without specifically naming – or excluding — Heartland. “The breaches that we have seen have involved a key area of non-compliance.”

To add to the confusion, Visa issued statements that RBS WorldPay and Heartland had been belatedly removed from the PCI Compliant list, in what has been widely considered to be merely legal maneuvering to effectively shield themselves from culpability while blocking the only alibi the processors have.

“It’s all legal maneuvering by Visa,” says Gartner security analyst Avivah Litan in an interview with ComputerWorld.com. “This is PCI enforcement as usual: They’re making the rules up as they go.”

This was apparently seen as an opportunity by some Heartland competitors to move in on some of Heartland’s clients, with reports of merchants being warned by other processors that they may be violating PCI compliance by continuing to do business with Heartland, and prompting Heartland to respond with threats of lawsuits.

Then, during Tuesday’s Congressional hearings, representatives of the merchant community, long thought to bear the brunt of security protocol “cram-downs” by the issuing brands, threw their hat into the ring in what now amounts to an industry free-for-all.  From Forbes.com:

Michael Jones, the chief information officer at the retail company Michael’s, testified that the PCI rules were “expensive to implement, confusing to comply with and ultimately subjective both in their interpretation and their enforcement.”

Now bear in mind, all of these factions are supposed on the same team, and all are supposed to be working in unison to continue the evolution of ever more secure systems to thwart the increasingly resourceful criminal hackers.

Is it any wonder that the future of PCI DSS is in question?

And what could possibly be worse than an entire industry at each others throats in the midst of the biggest security problems they have faced to date?

Well, they could make enough of a brouhaha that they attract the attention of lawmakers, as they have succeeded in doing; lawmakers who have regularly demonstrated their intention of late to force industries of all stripes to cede to their “better judgment.”  Also from Forbes.com:

“I’m concerned that as long as the payment card industry is writing the standards, we’ll never see a more secure system,” (Rep. Bennie) Thompson said. “We in Congress must consider whether we can continue to rely on industry-created standards, particularly if they’re inadequate to address the ongoing threat.”

This means that the PCI Security Council, keepers of the PCI DSS flame, have their work cut out for them if they want to remain the chief regulating body for PCI security. Maybe they left these issues to simmer on the back burner for too long, and maybe someone will be looking for a scapegoat.

It’s all uphill now.

During a phone call in early March with Lib de Veyra, VP of emerging technologies at JCB International and recently named Chair of the PCI Security Council, I expressed my concern over the state of relations between the various elements that make up the payment card industry.

I likened the public displays of policy incongruity and the tendency for all interested parties to respond to news of security lapses by rushing to throw each other under the bus, to that of the image of a snake swallowing its own tail.

I expressed concern by offering my opinion that the biggest threat to PCI DSS does not come from the endless supply of criminal hackers the industry will certainly face in perpetuity, but instead comes from the fractured portrait of an industry in crisis, and its inability to effectively manage itself.

That was one long month ago, and opportunity to avert the creation of a new regulatory body to oversee PCI may have already come and gone, which is most unfortunate for everyone concerned.

PCI DSS is not broken, but the collective will to make it an effective standard for security just might be.

Anthony is a researcher, analyst and freelance writer who worked as a consultant to senior members of product development, secondary, and capital markets from the largest financial institutions in the country during the height of the credit bubble. Anthony’s work is featured by leading Internet publishers including Reuters, The Chicago Sun-Times, Business Week’s Business Exchange, Seeking Alpha, and ML-Implode.

The Author gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to Information-Security-Resources.com

Senate Legislation Would Federalize Cybersecurity
Rules for Private Networks Also Proposed

By Joby Warrick and Walter Pincus
Washington Post Staff Writers
Wednesday, April 1, 2009; A04

Key lawmakers are pushing to dramatically escalate U.S. defenses against cyberattacks, crafting proposals that would empower the government to set and enforce security standards for private industry for the first time.

The proposals, in Senate legislation that could be introduced as early as today, would broaden the focus of the government’s cybersecurity efforts to include not only military networks but also private systems that control essentials such as electricity and water distribution. At the same time, the bill would add regulatory teeth to ensure industry compliance with the rules, congressional officials familiar with the plan said yesterday.

Addressing what intelligence officials describe as a gaping vulnerability, the legislation also calls for the appointment of a White House cybersecurity “czar” with unprecedented authority to shut down computer networks, including private ones, if a cyberattack is underway, the officials said.

How industry groups will respond is unclear. Jim Dempsey, vice president for public policy at the Center for Democracy and Technology, which represents private companies and civil liberties advocates, said that mandatory standards have long been the “third rail of cybersecurity policy.” Dempsey said regulation could also stifle creativity by forcing companies to adopt a uniform approach.

The legislation, co-sponsored by Senate Commerce Committee Chairman John D. Rockefeller IV (D-W.Va.) and Sen. Olympia J. Snowe (R-Maine), was drafted with White House input. Although the White House indicated it supported some key concepts of the bill, there has been no official endorsement.

Many of the proposals were based on recommendations of a landmark study last year by the Center for Strategic and International Studies.

Currently, government responsibility for cybersecurity is split: The Pentagon and the National Security Agency safeguard military networks, while the Department of Homeland Security provides assistance to private networks. Previous cybersecurity initiatives have largely concentrated on reducing the vulnerability of government and military computers to hackers.

A 60-day federal review of the nation’s defenses against computer-based attacks is underway, and the administration has signaled its intention to incorporate private industry into those defenses in an unprecedented way.

“People say this is a military or intelligence concern, but it’s a lot more than that,” Rockefeller, a former intelligence committee chairman, said in an interview. “It suddenly gets into the realm of traffic lights and rail networks and water and electricity.”

U.S. intelligence officials have warned that a sustained attack on private computer networks could cause widespread social and economic havoc, possibly shutting down or compromising systems used by banks, utilities, transportation companies and others.

The Rockefeller-Snowe measure would create the Office of the National Cybersecurity Adviser, whose leader would report directly to the president and would coordinate defense efforts across government agencies. It would require the National Institute of Standards and Technology to establish “measurable and auditable cybersecurity standards” that would apply to private companies as well as the government. It also would require licensing and certification of cybersecurity professionals.

The proposal would also mandate an ongoing, quadrennial review of the nation’s cyberdefenses. “It’s not a problem that will ever be completely solved,” Rockefeller said. “You have to keep making higher walls.”

Last week, Director of National Intelligence Dennis C. Blair told reporters that one agency should oversee cybersecurity for government and for the private sector. He added that the NSA should be central to the effort.

“The taxpayers of this country have spent enormous sums developing a world-class capability at the National Security Agency on cyber,” he said.

Blair acknowledged there will be privacy concerns about centralizing cybersecurity, and he said the program should be designed in a way that gives Americans confidence that it is “not being used to gather private information.”

http://www.washingtonpost.com/wp-dyn/content/article/2009/03/31/AR2009033103684_pf.html

Over the weekend while listening to my Zune, an audio book of The Art of War started playing.  It had been awhile since I had actually listened to it, so I sat back grabbed a soda and let it played.  For those of you not familiar with this book let me give a brief overview.  Written sometime between 500 – 350 BCE the Ancient Art of War was written by the legendary Chinese General Sun Tzu.  Written as a military strategy guide for his officers, the Art of War has flourished for twenty five centuries.  Listing the military leaders who are considered students of Sun Tzu would sound like a history lesson. Napoleon, Lord Cornwallis, Gen Patton, Dwight Eisenhower, and Gen Colin Powell.  Recent readers include business professionals who incorporate the strategies into their “Business Conquests”.

Fighting for the King of Wu, Sun Tzu fought in a violate time when the provinces of what would become China were constantly at war with one another.  Losing a battle could mean the end of your province.  Therefore The Art of War conveys a win at all cost attitude, which I don’t believe is useful for many aspects of business.  In the realm of Cyber-Security though I believe we find an exception.  We have a real threat of forces that want to defeat us in order to obtain, sabotage, or destroy our treasures. Unlike sales, where you win one you lost one is a fact of life, in defending our company against cyber threats we must maintain a defend at all cost attitude.  We never know if the next incursion will be the blow that you or your company cannot bounce back from.

Throughout the next few post we’ll examine the strategies of Sun Tzu and delve into how we can use them in designing our Cyber strategies.

Lesson 1 – It’s not a matter of if, but when…

The art of war teaches us to rely not on the likelihood of the enemy’s not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable.

- Sun Tzu- Sun Tzu “The Art of War” 500 BCE

Growing up my father used to say “There are two certainties in life, death and taxes”.  I want to add a third, your network will be attacked.  In this day and age your network is under attack constantly.  The average network will be attacked hundreds if not thousands of times in a given day.  Your network is your modern castle and you are definitely under siege.  Yet I still hear business owners and IT professionals say something like “We don’t have to worry about cyber security; A. we’re too small of a company B. we don’t have any sensitive data C. we’re located in the middle of nowhere D. add your own lame excuse. 

First things first, most attacks are random.  From the internet side of things, you are an IP address.  It doesn’t matter if you are a stock firm in New York or a Farm store in Nebraska you connect to the same public network where scans for vulnerabilities are consistently being performed.  At Parameter our testing network drops a scan from the internet about once a minute.  That’s nearly 1500 scans a day.  Most attackers will hack first and if successful they will then look for their spoils, financial data, employee information, or even create a platform for future attacks on other systems, it doesn’t matter your system has been breached and your reputation has been tarnished.

The art of war teaches us to understand that we will be attacked; therefore we must focus on successfully detecting, evading, and repelling any attack that comes our way.  We must understand that no network is impenetrable. We must know our network’s weaknesses and if we cannot mitigate those dangers we must ensure we can detect any attempt to exploit the vulnerabilities and respond quickly.

Identify your companies “treasures” and ensure the proper defenses are in place.  If you do not know your treasures, cannot detect attempted attacks, or don’t employ defense in depth, you have no choice but to admit defeat and assume your treasure has been stolen.