How many people ever saw the SNL skits featuring Doug & Wendy Whiner? If you never did, then the title won’t make much sense to you. Essentially, the Whiners are a couple that whine about nearly everything. Unfortunately, it’s remarkable how much reality was in those skits.
Having just come back from giving presentations about effective data protection and understanding the fundamental premise of legitimacy or fairness expected implicitly by customers from organizations who store our data, this CNET article scared me to death: “Credit card security rules to get update.”
The article discusses proposed changes to the security requirements for businesses that accept credit card information. Currently, the PCI standard (PDF) developed by both MasterCard and VISA requires the following (from the VISA CISP information page):
- Install and maintain a firewall
- Do not use vendor-supplied default passwords or other security features
- Protect stored data
- Encrypt transmission of cardholder data and sensitive information across public networks
- Use and regularly update anti-virus software
- Develop and maintain secure systems and applications
- Restrict access to data by business need-to-know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information security
To anyone who has ever built or implemented a security policy, the above should seem to be pretty standard stuff, and it’s pretty fair to the customer in attempting to protect access to their data. However, these quotes from the article indicate that some legacy systems can’t cope with the requirements, so they need to be “relaxed”:
“Today, the requirement is to make all information unreadable wherever it is stored,” Maxwell [director of e-Business and Emerging Technologies at MasterCard] said. But this encryption requirement is causing so much trouble for merchants that credit card companies are having trouble dealing with requests for alternative measures, he said.
The challenge with encryption is that older payment systems were not built to support the scrambling technology, said Qualys CEO Philippe Courtot. “Encryption is the ultimate measure of security, but the current applications have not been designed with encryption in mind,” Courtot said.
These systems and their delinquent owners are holding your, yes, that’s right, they’re holding your credit card data unencrypted because of flaws in the application. That’s equivalent to the police saying that it was too hard to catch the guy breaking into your car, so you should just keep it in the garage instead where it’s safe.
The Whiners who own the defective applications are whining to Visa and MasterCard–and they’re listening! This is incredible. To be fair to Qualys’ CEO, I’m going to assume that he’s stating that there were complaints rather than his own opinion here.
So, how are these delinquent systems going to keep your data (and your identity) safe from the bad guys? You’ll love this:
Changes to PCI will let companies replace encryption with other types of security technology, such as additional firewalls and access controls, Maxwell said. “There will be more-acceptable compensating and mitigating controls,” he said.
Right, so let me get this straight: no encryption; more firewalls. Because, as Marcus Ranum says firewalls just don’t work, and, well, nobody reads any of these articles anyway:
- Black Market in Stolen Credit Card Data Thrives on Internet, The New York Times, 2005-06-21
- Consumers, retailers grapple with data theft, CNET, 2005-06-22
- Credit card leaks continue at furious pace, MSNBC, 2004-09-24
- Lax Security Cited in Massive Credit Card Data Theft, Netcraft, 2005-06-18
- Credit card companies can keep data ID theft secret, The Register, 2005-09-24
- Backup tapes a backdoor for identity thieves, SecurityFocus, 2005-04-28
- Backup-Tape Security: Enter the “Brown Bag”, Enterprise Systems, 2006-04-11
- Iron Mountain looses more backup tapes, TechWorld, 2006-05-02
Granted, this article from ZDNet, “Lose your backup tapes? It could be worse” makes two good points: a) it would take some pretty serious knowledge to get the data off the tapes, and b) the fact that the tapes are missing is going to be pretty obvious. However, what he also points out is that there are even easier ways to get at the data–all you need to do is get to the machine. Since the data isn’t going to need to be encrypted on the machine anymore, once you have access to the machine, you have access to the credit card data. It’s as simple as that.
The silly thing is that encryption isn’t rocket science, and it isn’t hard to design systems to take advantage of encryption techniques to store the information. In the absolute worst case scenario, you just have to pay your database vendor to solve the problem for you, and you don’t even need to change a single line of application source code. I don’t recommend this as the right way to solve the problem, but it is an alternative if all else fails. The latest versions of Oracle actually have some pretty sophisticated mechanisms for compartmentalizing data in the database.
The good news is that it’s only currently a proposal, but the bad news is that, due to the Whiners of the world, the proposal is likely to be accepted by MasterCard and Visa. If MasterCard and Visa accept it, they’re really going to loose a lot of points with people, because it proves that they really aren’t as serious about security as they should be, and that with enough pressure, they’ll revisit security controls which some find “inconvenient” or “difficult to implement”. Given the number of people in IT and especially management who actually understand security is quite low, this is a slippery slope to start down.