greg hughes - dot net - Visa and Mastercard prepare to take one giant step backward

Saturday, 01 July 2006

Visa and Mastercard prepare to take one giant step backward - and your identity will be at risk

The headline reads: "Credit card security rules to get update."

I see that and I think to myself, "Hey, cool."

Then I read the story.

What it should have said: "Credit card security rules that make perfect sense and protect your identity are about to be flushed right down the toilet because companies say it's too hard."

Now, that's not so cool.

Why is that? Industry requirements that were put in place not too long ago that required companies to encrypt sensitive information are going to be removed. Yes, you read that right - Removing the already established requirement to encrypt the data that is most sensitive and valuable. I'm not one who typically leans in the direction of government mandated standards, but in the absence of private self-regulation and in this particular case...

From CNET's News.com:

While security stands to benefit from a broader, another proposed change to the security rules may hurt security of consumer data, critics said. The new version of PCI will offer merchants more alternatives to encryption as a way to secure consumer data.

"Today, the requirement is to make all information unreadable wherever it is stored," Maxwell said. But this encryption requirement is causing so much trouble for merchants that credit card companies are having trouble dealing with requests for alternative measures, he said.

In response, changes to PCI will let companies replace encryption with other types of security technology, such as additional firewalls and access controls, Maxwell said. "There will be more-acceptable compensating and mitigating controls," he said.

The Payment Card Industry (PCI) security standard was developed to improve the security of applications processing credit card transactions. In the best-practices world of layered security, we deploy security in multiple locations and in different parts of the lifecycle. We even get redundant, especially in areas that matter the most.

To think that more firewalls can protect data in a way that makes it unnecessary to encrypt is ridiculous. Encryption protects data from theft when other layers are compromised. It keeps data safe even from internal theft (and trust me, that's at least as common as external theft, often even more so). It means - if done correctly - that even is a server is stolen from a datacenter, the bad guys still cannot get at the information that's stored in a secured form on the machine. Keeping people out is important, but encryption is about the bad guys that already got in. So let's can the firewall arguments, although perimeter security is still a critical thing to deploy.

Scanning software to make sure you cover the threats and reduce the chance of successful attack is a good thing - but having people analyze it with eyeballs is significantly better. Scanning software only finds the low hanging fruit that is exposed on the outside layers and only finds the things we already know about. It provides no mechanism for creative scrutiny and under-layer analysis. It doesn't account for finding the new threats and vulnerabilities. Those things take active brains and connected eyeballs. It's what I don't know how to detect that will kill me in this case. It's the holes I can't see today, but which will be all too obvious tomorrow. So let's drop the "build secure software" argument as an alternative to encryption, although it's still an important thing to do.

Ultimately, cutting out the data encryption requirements will make it easier for companies that do transactions - by trading off the security of sensitive, personal information. It comes at our expense. It's a bad idea. And you should do something about it.

It's not easy to do 99% of what makes up my job, and it's not always fun. Security is hard. It's not really supposed to be easy. But I do it because it's necessary and right. The identity of users is the proverbial gold and crown jewels of this real-life game. It's not about protecting institutional assets - it's all about protecting individual people's identities.

To be concise: Removing the encryption requirement is a fundamentally bad idea that will hurt real people in the real world. Especially in this day and age of identity theft and with the endless news stories covering data loss and theft where the data is vulnerable specifically because it's not encrypted, I'm rather shocked by the decision. It's another example of where doing what's right falls victim to doing what costs less and reduces complaints.

It's time to stand up for what's right for security. First of all, as a business you should not be storing any personal information that's not absolutely necessary and that I have not specifically told you I want you to store for me. Protection of the personal information you do store is your responsibility, but I own it. Encryption of my sensitive information in your systems should be a requirement, not a nice-to-have or a convenience-based suggestion.

Period.

Add/Read: Comments [5]

IT Security | Safe Computing | Things that Suck

Saturday, 01 July 2006 16:05:10 (Pacific Standard Time, UTC-08:00)

Monday, 03 July 2006 09:21:25 (Pacific Standard Time, UTC-08:00)

I have a few comments about the last paragraph of you post:

"First of all, as a business you should not be storing any personal information that's not absolutely necessary and that I have not specifically told you I want you to store for me."

What world are you living in, these companies make a fortune selling all that information. You don't actually think a credit card company makes all their money from the sky hi interest do you?

"The personal information you do store is your responsibility, but I own it."

The personal information they store is our responsibility, but they own it (at least according to the U.S. government).

"Encryption of my sensitive information in your systems should be a requirement, not a nice-to-have or a convenience-based suggestion."

This is true, but until legislation or a Supreme Court case actually gives us the ownership of our own personal information, and allow us to sue if the holder of that information does not take proper care of that information, then it is only a nice-to-have suggestion.

Mark Rosenberg

Monday, 03 July 2006 10:10:55 (Pacific Standard Time, UTC-08:00)

Mark, good points. And I will update the language of the last paragraph to clarify what I really meant. What I should have typed was something like "Protection of the personal information you do store is your responsibility, but I own it."

As far as what world I live in, let me point out that the data I am discussing here is not the same information they're selling. I am talking about social security numbers, account numbers, user identification and authentication credentials, etc. The most valuable and sensitive of the data.

And by the way - this is not about information being stored by the credit card companies. It's about infomration being stored by other businesses that do credit card transactions, and which - until now - were being held accountable for securing the data. I'm concerned about the pending removal of a standard that was a darned good idea when it was implemented.

In the end user side, I also understand the need (requirement) for individual responsibility in whether or not the sensitive information is ever handed out in the first place. But in the real world people trust business to do a decent job of protecting information, and businesses want user to entrust them with that data. They have privacy policies and make statements about security, so I don't think it's an unreasonable expectation. There is a set of standards, I believe, based on which we can determine whether or not a company is doing its data security job well and whether or not a company's action or inaction rises to the level of negligence. I also beleive that a reasonable expectation of accountabiity is healthy for everyone involved.

And as long as we're stating opinions, mine is that it doesn't take a government or a supreme court to tell me what's mine. I can file a suit today if someone mishandles my identity. I can sue if someone looks at me the wrong way, for that matter. Not that I'd win, but the point is I can.

But if I have to file a lawsuit, it's too late anyhow. The data is lost and the damage is already done. This needs to be about prevention, not cleaning up after the fact. The existing PCI standard protects data for real people and lets businesses conduct business. Removing the encryption requirement wil only weaken the security posture and ensure that data thieves will be able to get what they want.

Greg

Tuesday, 04 July 2006 00:13:04 (Pacific Standard Time, UTC-08:00)

I'm not sure how much the above impacts the UK codes of practise but to my mind there isn't enough encryption!

The internet is a wonderful thing that makes our lives easier. Similarly, or credit and debit cards also make our lives easier. These technological marvels that we've come to enjoy (and ultimately) rely on in our modern societies are the same marvels that are used against us by those with 'questionable morality'. Businesses, like us, want things easier but by making it more convenient for them they also make it more convenient for those who would use these tools for their own, selfish ends.

I see part of the problem as transparency. I don't know who holds what information on me these days because of the buying and selling of personal information between companies. While it is easier for me to deal with my credit card company and ask them the question "what info do you hold about me?" it is much more difficult to track that information through other companies, affiliates, associates and customers. Don't I have a right to know who knows what about me?

That brings me back to encryption - I believe ANY personal information (sensitive or not, as defined in the posts and article above) held about you SHOULD be encrypted by any entity holding the information. Once transparency is added on top of that, responsibility for the data can start to be tracked, checked and enforced. Protection an privacy will affect ease of use and convinience, but this is an age old argument that I'm sure both the British and the Americans are all-too familiar with these days. Think on this - if a data thief can't READ stolen data, they can't USE it, can they?

I realise that this is a simplified point of view and I apologise for the lengthy post. I do have one question though - if the PCI is amended or dropped to stop companies having to encrypt stored data, how can we get those companies to re-think and re-encrypt?

Doug Lochery

Tuesday, 04 July 2006 09:56:36 (Pacific Standard Time, UTC-08:00)

The change you describe is like putting all your eggs in one basket, then failing to pad the basket.
You recommend taking action, but didn't give any specifics, so what I will do is to include a note with each credit card payment, call each credit company and send them paper mail with my opinion. I will also contact my senators and representative and relevant state officials (bless you, Elliot Spitzer) and urge all readers here to do the same.

D. Penzel

Wednesday, 19 July 2006 12:01:00 (Pacific Standard Time, UTC-08:00)

The real problem appears to be that merchants are asking customers for identification in order to use a credit card. You can get 2 out of 3 pieces of information required for identity theft just by recording this information at a POS counter. Any store clerk can do it.

Credit card merchant rules require merchants to refrain from demanding additional identification before accepting a credit card transaction. Credit card companies can fine merchants $25.00 for each violation of merchant rules, but never do. They could also provide an Internet page to record violations of merchant rules, but they have removed those pages in the last 2 or 3 years. It is not in their vested interest to take action against merchants, and have a natural relactance to do so.

Visa and Mastercard are in process of changing merchant rules to abrogate their responsibility for penalizing merchants that do not follow common sense rules like this, causing you and I to be subject to identity theft.

The only way to fight back, short of congressional action, is to refuse to buy from merchants that do not follow Visa and Mastercard merchant rules. Here are some names of merchants who have demanded a driver's license in order to accept a credit card transaction:

Office Max
Disney Store
Sears
Oshman's Sporting Goods

Please avoid shopping there.

Hugh Miller, CISA, CDP, CIA

Comments are closed.