Making PCI Grade, Missing Big Picture

200905149uvos3dj-1-051509heart.jpg

Sometimes what you do know can hurt you.

Ask Heartland Payment Systems Inc., which disclosed a major security breach this year.

The Princeton, N.J., processor passed regular security audits before discovering the breach, and said that these inspections created a false sense that its systems were protected.

Heartland said that by focusing solely on meeting the Payment Card Industy data security standard, companies could fail to meet the more important goal of safeguarding payment card data.

"The audits that are used to determine compliance are very much overvalued, and we overvalued our audits," Robert O. Carr, Heartland's chairman and chief executive, said in an interview this week.

Carr said the audits never revealed the issues that led to the breach — nor did those assessments uncover other security lapses that could have left the company vulnerable to further attacks.

Heartland announced in January that hackers had managed to install a sniffer program in its systems that could observe card data. Carr said the hackers were able to find a vulnerability that the audits never spotted.

And after revealing the breach, Heartland found other security flaws that had also gone unnoticed in its audits. The processor began using Vontu, a Symantec Corp. application that scans a company's systems for improperly stored data. This assessment, which is not required under the PCI rules, found numerous pockets of sensitive information, Carr said, including card account details that employees had stored on their systems to help them do their jobs.

"That's been a real eye-opener," he said. "Anybody that has a data-loss prevention tool will be surprised in how many different places card numbers can wind up, especially in a corporate environment where you're doing a lot of servicing."

Though this data was not involved in the breach, Carr said that the improperly stored account numbers are the kind of vulnerability that a PCI audit would not find yet could be exploited by thieves.

Still, Carr also stressed that his complaints with the assessment process do not invalidate the positive effect the PCI standard has had in the industry. Providing guidelines, even if the guidelines have imperfections, is better than not having any security mandates. "PCI is important," he said. "It's needed by the industry."

Even Visa Inc., arguably one of the PCI standard's most outspoken champions, has acknowledged that the standard has limits. Visa emphasized that it is the responsibility of the companies that handle payment data to surpass those limits to keep their networks secure.

Eduardo Perez, Visa's head of global data security, said that "time and time again what we find is that breached entities often have deficiencies in the same areas," and Visa has highlighted those areas and made information available to merchants explaining how to address these shortcomings.

Organizations that repeatedly validate compliance can still have insecure networks, Perez acknowledged.

"There is a difference between validation and ongoing compliance," he said. "Something we're very focused on is making sure that industry players understand the difference, so they don't get undue comfort from having validated compliance at a point in time and not living up to the standard over time."

But Carr said the "point in time" mind-set does not go far enough to tackle the problems faced by companies that handle card data.

"I think it's a convenient, but inaccurate, statement to say that a company is certified to be compliant one day and suddenly does something wrong that they're not compliant the next day," he said. "I think the problem is deeper than that … one of the major learnings we've had — perhaps the most important learning we've had in all this — is that the value of the audit to be certified is almost counterproductive because it doesn't really catch any of the major issues."

He said Heartland passed six annual audits, none of which found "problems that had always existed in our system."

And it was those long-undetected problems that left Heartland open to a breach, Carr said. "It wasn't that we just suddenly didn't become vigilant someday."

Carr also questions some of the basic PCI compliance requirements. Specifically, he takes issue with rules three, six and 10, which tell companies they must protect the data within their systems and keep track of "all access" to their networks.

Carr said the PCI standard is worded in such a way that its enforcers can easily pin all responsibility for breaches on the victims.

Under these rules, Carr said, "anyone who is breached, by definition, is in violation of PCI compliance."

Perez disagreed. He said by e-mail that "it is technically possible that an entity could be PCI DSS compliant and still experience a compromise," and that many of the mandates within the standard are "designed to protect valuable consumer data and limit card fraud" in the event of an intrusion.

However, he noted that no breached company yet has been found to be in compliance when the compromise occurred. "All entities that have experienced a cardholder data breach to date have been found to be materially out of compliance with PCI DSS at the time of the breach."

Carr is not the only one to question some of the basic components of the PCI standards.

Dave Hogan, the chief information officer of the National Retail Federation, a trade group, said in testimony before a congressional committee in March that "the premise of PCI, that hundreds of thousands or even millions of merchants will systematically keep pace with the ever evolving sophistication of professional hackers, is unrealistic," according to a transcript of his remarks.

The federation instead advocates a fundamental change in how transactions are handled, such as allowing merchants to use authorization codes instead of account numbers to reference past transactions. This would eliminate the risk associated with storing account numbers for this purpose, as the authorization code would "be of no value to a potential thief," Hogan said.

Heartland passed an audit after disclosing the breach, but will remain on probation, possibly for several years. As part of this probation, its primary sponsoring financial institution, KeyCorp, must scrutinize the processor more closed than is typically required.

Heartland was restored last month to Visa's roster of validated service providers, a list available to merchants to show that their vendors are compliant.

Perez said this list is meant to show merchants which providers have met their requirements under the PCI standard, though merchants should do more than just consult the list when choosing a partner.

"We're trying to balance the ease of the information being available to stakeholders within the payment industry and at the same time still encouraging entities to do their own due diligence," he said. "At the end of the day, they're entering into contractual relationships directly with service providers … the list of compliant service providers certainly goes a long way to encouraging that these entities have validated against a minimum set of requirements at a point in time and once a year, and it certainly provides more comfort than they would have otherwise, but it's still not the only source of comfort that they should gain."

Carr said the breach challenged his company to improve its security beyond what most companies in its business do.

"We've had to be way better than probably most other processors out there in terms of our security, and we think we are very secure now and we've definitely added layers of security to prove it," he said.

Carr and Perez both talked up progress in promoting encryption within the payment system as a way to protect data beyond what is required by the PCI standard.

"Encryption certainly falls into that category of eliminating the data at any point throughout the payment chain," Perez said. "It would render the encrypted data useless" to a data thief. He would not say whether Visa would consider mandating encryption.

Avivah Litan, a vice president and research director at the Stamford, Conn., market research company Gartner Inc., said the Heartland breach "points out the flaws in relying on the PCI compliance process as a method of securing the payment system. It's not enough and it never will be enough."

PCI puts the burden on the merchants that handle card data, and that ignores the bigger issue, Litan said.

Protected card data is a shared responsibility, she said. "To solve this problem, we have to work together and accept mutual responsibility and not pin it all on the breached entity. You can't expect these companies to beat the criminals. The criminals are so much better than the good guys."

Instead, the payment system needs an overhaul to better allow for encryption and the use of dynamic data to authenticate card transactions, she said. "To solve the security problem, we need to do more than PCI."

For reprint and licensing requests for this article, click here.
Bank technology
MORE FROM AMERICAN BANKER