Expert advice on data security defense and planning
When it comes to data security, ISOs and merchant level salespeople (MLSs) have little choice but to prepare for the worst and hope for the best - just like any other business that handles third-party personal information. But acquiring businesses have more at stake than most when it comes to compromised data. A payment business can be hurt not only by thefts from its own system but also by thefts from customers and third-party service providers.
Shirley Inscoe, a Senior Analyst with the Aite Group LLC, described the payments sphere's vulnerability this way: "If you think about the process, you have acquirers or ISOs who have contracts with each of their merchants and who have contracts with various processors, and all it takes is one weak link for a data breach to occur."
It is likely all ISOs and MLSs will need to take one or all of the following actions related to breached data at some point in their professional lives:
- Address customer concerns about a breach at a third-party processor
- Help an e-commerce customer recover from a hack
- Advise a retail business after its POS terminals have been altered by fraudsters
- Respond to a breach of an ISO's or MLS's own system
With this in mind, leading payment security experts were asked for advice on how payment businesses can both protect sensitive data and respond to breaches in payment networks.
Being prepared - plan ahead
The fact that breaches happen with regularity indicates the Payment Card Industry (PCI) Data Security Standard (DSS) and the Europay/MasterCard/Visa (EMV) standard are not foolproof. Thus, ISOs and MLSs need to know beforehand what to do should a breach occur.
Janet Langenderfer, who owns the payment consulting company Vision Partners & Associates LLC, said formulating a plan for how your company will address a breach is paramount for ISOs. "The ISO needs to educate their staff on how to react to a breach. It is not happening enough, truly, in my opinion." She said the education and training should include a checklist that includes up-to-date security policies and procedures to follow in the event of a break-in, including notification procedures.
Heather Mark, Senior Vice President, Market Strategy at payment security firm ProPay Inc. noted that even though it's difficult to consider the possible failure of prevention measures that have required significant resources and effort to implement, ISOs should have incident response procedures ready and rehearsed.
"Having a well rehearsed incident response plan is vital to containing a breach, getting the system online fast, and notifying all stakeholders," Mark said. "There should be drills to practice the incident response plan and a chain of command set in place. There should be standard operating procedures for how to respond to a beach. The acquirer may want a crisis manager on staff or retainer."
Mark also offered advice on whom to call, and in what order. "Call law enforcement first; get them involved quickly," she said. "They may have information on how to contain the breach. The next call is to the acquirer. Remember, it is fairly uncommon for an ISO or merchant to recognize a breach first. Get as much information as possible on a suspected breach. Be receptive. Listen to information, and have a FAQ where customers can be directed for updates and answers.
"Call the PR firm quickly. It should understand already your business and customers and be ready to put a response plan in place quickly. An increase in reputational damage comes with a breach. Crisis management can mitigate damage."
Defending sensitive data - best practices
Experts interviewed for this article generally agreed that PCI DSS compliance is one important step but not an entire defense against data thieves. Paul Coppinger, co-founder and President of Apriva, said, "The first and best line of defense for preventing a breach is to reduce the attack profile that is available to the hacker. What this means in practice is often described as reducing PCI scope.
"After you have reduced the PCI scope as far as possible in a particular situation, then you work on securing what is left. This will involve using Payment Application (PA) DSS certified solutions, periodic monitoring and network scanning. The techniques used by hackers are changing all the time, so using a monitoring service is absolutely critical.
"One of the best techniques for reducing scope is tokenization, which is something that processors and some gateways are starting to offer as either a standard part of their solution or at a small premium. Tokenization will eliminate the need for merchants to store cardholder data in their systems, which is where the larger opportunity exists for hackers. Any software that is PA DSS certified will do all the right things necessary to ensure that transactions are handled in a secure manner."
According to Simon Gamble, President, North America for Mako Networks Ltd., a PCI certified network management service provider, payment professionals also need to keep something else in mind when working with merchant security. "You could have the most secure terminals on earth and if you are not looking at the network you are in trouble," he said.
Mako Chief Executive Officer Bill Farmer pointed to security issues involved with mobile payments. "In the PCI sphere it is ludicrous to put the company on a mobile reader," he said. "Having PINs going into a device when you have no control over the software on the phone or tablet, leaving card data on a phone - this lack of control could penalize merchants."
Gamble added, "A payment terminal shouldn't do anything other than process transactions. A phone or tablet is not a secure payment device right now though they may be secure in the future. EMV is good, but when any other device is on the network that device needs to be compliant."
Christopher Pogue, a PCI Qualified Security Assessor (QSA) who works as a Senior Security Consultant at Trustwave's SpiderLabs, said, "The bad guys aren't reinventing the wheel. We still commonly see weak passwords; lack of properly configured firewalls (which makes for a really expensive router); open remote access ports and utility ports; and vendor supply default passwords that are known by every hacker in the world."
Experts consulted by The Green Sheet also pointed out that security costs are low compared to the risks of an insecure system. "There's no excuse for a merchant not to be PCI compliant," Gamble said. "It's just a matter of where they are going to put it in the budget. A totally compliant network costs less per month than a meal at a good restaurant."
Pogue agreed. "Security does not cost thousands of dollars in investment," he said. "Simple things like good passwords regularly changed, limiting input to one remote access, knowing where the traffic is supposed to go - these are easy things to do that don't cost a lot. The fact that many are not doing so is mind boggling. I could make the changes in an hour and eat a sandwich while doing it. Often a breach that costs $150,000 in fines could have been prevented if they had spent $500 on a proper firewall."
Responding to a breach - notifications
Letting customers know a breach has been discovered is both a sensitive and critical component of breach response. Pogue advised informing customers of the following:
- The business was the victim of a crime.
- Law enforcement is investigating.
- The systems are being examined and repaired.
- Customers' personal information may be at risk.
- You will continue to update them as more information becomes available.
Pogue also advised breached ISOs and merchants to eliminate the fraudsters' means of infiltration. "Get a new IP," he said. "Change all the passwords. Don't presume the POS configuration packets in every system have been changed. Check each one. That's a big job but not impossible. It can be done."
Gary Glover, Director of Security Assessment at SecurityMetrics Inc., a provider of PCI compliant security solutions, urged acquirers to keep in mind how devastating a breach can be to a business. "The merchant is looking at their whole way of life potentially changing," he said. "I've seen restaurants that have been closed and 401(k)s that have been emptied to pay for the investigation and forensics following a breach.
"Don't leave the merchant alone. Tell them what's going on. Keep in touch with regular calls even if you don't have any news. Remember you are never going to have good news, but you can let them know you are involved and helping by staying in good contact."
Langenderfer said her first call after being notified of a breach would be to her lawyer. "My company is at stake, and I need to handle this situation with kid gloves," she said. "You want to be in control until you understand what it is that has happened. Once the situation goes to Visa or MasterCard, it is out of your control. If you are an ISO, call your processor and start notifying your merchants. You need to respond relatively quickly and you need to be really careful."
Langenderfer also said ISOs should be careful about information release; it has to be done but it needs to be controlled. "Sometimes you have to tell the customers about a breach sooner than you like because the clock is running, and you can't let the breach be secret for months," she said. "But in a perfect world you don't want to tell merchants until you solve the problem. These are the kind of hard decisions you need to make. This is why you want the lawyer, Visa and MasterCard, and your PR force helping."
Recovering from a breach - steps back to compliance
When breaches are discovered and card companies are notified, merchant or service providers have to prove they are in PCI compliance before they can be certified by the card companies for payment acceptance again. The professionals interviewed for this story agreed the road back to compliance is tough and that selecting the firms to help with that process should be done with care. "You don't want the same company that did the assessment for compliance to do your forensics after a breach," Mark said. "That is like having your accountant do your audit. It doesn't make much sense."
SecurityMetrics' Glover offered these technical suggestions for responding when a breach is reported: unplug the server; check the remote access - shut it off if you don't need it; check the firewall to be certain it is properly installed and working; bring in analogue-based transaction terminals for the interim and hire an independent QSA; inform the card companies of the breach, and follow Visa Inc. and MasterCard Worldwide procedures; and know the regulations of the state(s) where you do business - some states have notification requirements.
Glover also urged caution when reinstalling an old image of a database because it may contain unprotected credit card information. "If I was compromised, I'd want to contact a QSA even if I was told I didn't need it," he said. "I'd have the QSA test even if it is only 'forensics light.' How do I know I didn't fix something in the wrong way and allowed an entry point for a break-in?
"In the future, limit remote administration utilities to just one. Disable all others. If you have an on-demand service provider, have them call you to enable remote access and call back when they are done working on the system. Disable the remote administration when it is no longer being used."
There was also general agreement among the experts interviewed that the first thing to understand about security is that there is no such thing. "There will always be an inherent security risk associated with acceptance of electronic payments," Coppinger said. "There are many things that can be done to reduce that risk, but the way the system works right now, that risk will never be zero."