Chaordic Mind

History and Background

I’ve been deeply involved in the creation and maintenance of the PCI standards and framework since their initial inception.  Not only did I perform one of the first CISP assessments, I also wrote the framework for what is now the PA-DSS and performed the first PABP assessment ever.

I’ve been more than an implementer.

For a few years I trained all Qualified Security Assessors (QSAs) globally, and trained thousands of merchants, processors, and acquirers globally.  This experience taught me more than I could ever have hoped for because it instilled in me a deep understanding of the complexities within what we commonly refer to as the payment card industry (PCI).

Payments are complex, organic, and sometimes legacy systems that are complex enough in the US when you consider the various acceptance channels, networks for credit vs debit, payment channels, issuers/acquirers, payment gateways, point of sale software, third-party processors, and millions of merchants that vary in size from 5 transactions per year to 500 million.

Now take that and multiply it by a few hundred since each country has their own nuance issues.  These include everything from a single-acquirer model in Central and South America to the multi-acquirer models in Spain, Italy, and other European countries.  In S. Korea you use your banking information, not your payment card for e-commerce transactions.  In Brazil many merchants have a different payment terminal for each type of payment card they accept.  It’s not nearly as simple as we would like to imagine.

Bottom line: the industry is complex and any hack can find a loophole where a single standard may not apply to everything.  It is important therefore to move beyond the literal wording and see the intent behind the PCI standards.

Tradeoffs

No matter how smart you think you are, there is no simple solution.   It’s all a matter of tradeoffs, and my goal is to help you understand what some of those tradeoffs are.  Let’s look at a few examples:

1. Scope Reduction
   • You can deploy a Magtec encrypted card reader to encrypt all card present transactions in a tamper resistant security module (TRSM) hardware device so the data is not decrypted until it reaches your payment processor.  This could remove your card present transactions from the scope of PCI.
   • You can leverage Akamai Edge Tokenization to prevent payment card data from ever hitting your e-commerce environment.  This could remove your card-not-present transactions from the scope of PCI.
   • Perfect, right? It’s all about tradeoffs.  You remove the need for PCI compliance and simultaneously remove the ability to use that data for other business processes.  Securing data is always a matter of tradeoffs.  I call this Newton’s Second Law of Data Security. For every action there is an equal and opposite business reaction.
2. Data Breach vs Fraud Costs
   • One of the things that boggles my mind is that cardholders end up placing blame on their card issuing bank when they experience fraudulent activity on their payment card.  It wasn’t the bank that exposed your data in a data breach.  Instead it was more likely a merchant on the other side of the payment landscape that was breached and now it’s your bank who is absorbing the costs.  This is the digital equivalent of your neighbor’s house getting broken into and you paying for all the damage.  No matter how secure you make your house they continue to leave their house insecure and you continue to pay for damages. WTF?
   • The PCI standards were meant for the merchant acquiring side of the payment landscape to encourage these merchants to secure their house and thus reduce the amount of fraud occurring in the system.
   • In the United States we have mandatory data breach laws which mean the compromised merchant is required to notify the cardholder that a breach has occurred.  While some merchants may choose to ignore this, others simply cannot notify.  E-commerce merchants may have your name, address, and phone number but card-present merchants may only have your card number and no real way to notify you in the event of a data breach.  Individual state laws permit the merchant to make a local or national announcement but who is to know if you will ever hear about it?  Now, one person does have your name and address — the Issuing Bank — but they cannot disclose information related to a data breach due to non disclosure agreements they have in place.  I’d like to see a world in which compromised merchants either notify me or permit the issuing bank to notify me on their behalf.  Which brings me to my next two laws:
     • Mike’s Data Breach Rule: “They who expose my data should be the one to notify me.”
     • Mike’s Data Breach Corollary: “If they who expose my data cannot notify me, they should permit another org to do so on their behalf.”
3. Magnetic Stripe vs Chip and PIN
   • For decades people have been proposing complex technologies that could “solve” the fraud problem within the PCI industry — most of them including some form of one-time-use payment card number.  I roll my eyes and remind the reader to re-read the complexity section above.  Sure, we can issue everyone a one-time use card number but this necessitates all transactions be on-line.  Suddenly we begin to see the problem with tradeoffs wherein you cannot make purchases in airplanes, or even in retail stores that go offline.  It is the desire of the merchant community to maintain support for multiple payment methods and options because nobody wants to be told they cannot accept a payment.
   • Still others cry mutiny at the banks that they claim are forcing a legacy technology on the merchant community called the “magnetic stripe.”  Again, not true.  Remember that the cost of upgrading all payment terminals in the US to support Chip and PIN is not a cost to be borne by the issuing banks who give you the card but by the acquiring banks and every small merchant in America.  Think this would be easy?  Consider for a moment that just the payment card system for a gas (petrol) station can cost upwards of $75,000 per pump!  That does not include the back-end software required to manage the pumps and transactions.  Now consider that every merchant of every type and complexity needs to upgrade their systems.  Oh, it will happen, but it’s not the banks forcing legacy card technologies; the reason we have not moved to Chip and PIN faster is due to resistance from the merchant community.
   • Read more details here: The Real Deal on Chip and PIN (EMV) in the US.

What Makes You So Special?

That said, even with all the complexity of the various payment types and globalized networks — the variances in how data breaches occur is getting smaller and smaller.  This past week I spoke with a globe trotting PCI Forensic Investigator who told me that people always ask him, “so what fraud patterns do you see in your area of the world?” He replied with, “the same ones you see in yours and others see in theirs!”

Yes, there are variances.  As you chase the attackers out of one vector they move on to another.  Block card present, they move online.  Block online, they move upstream.  Block upstream, they move downstream.  At the end of the day, they tools are different but their target and intended goal is always the same.  So how do we defend against this ever present threat?  Scope reduction, data surrogacy, and data deprecation are some but we almost always have some data to protect, and thus a baseline for securing that data.

One thing the Verizon PCI Report taught me is that organizations focused on compliance as the only goal tend to achieve that goal and then regress immediately thereafter.  In my opinion, organizations that take a continuously improving capability and maturity model towards information security tend to regress less.  Instead of seeing compliance as a goal these organizations see compliance as a byproduct of a solid security program.

I believe in PCI compliance and the need for it (see also: regulation-deregulation cycles), but as many others have echoed — compliance is only a minimum — it is a baseline that we should continue to strive beyond.  If you feel that point-in-time compliance is the only thing you need, let me know so I can stop providing you my data to expose.

As many of you know EMV, or more commonly referred to as Chip and PIN (Chip/PIN), have been a long time structure in areas such as Europe and most of the Asia-Pacific region.  Europe made the transition between 2001 to 2006.  Canada has a mandate of October 2010 for implementation and the intra-region liability shift.  The US it seems is now entering the came with a few very small but significant moves.

• Wal-Mart has asked for Chip-and-PIN saying that now is the time to roll it out.
• In May 2010, the United Nations Federal Credit Union (UNFCU) became the first financial institution to begin issuing Chip/PIN cards.
• It should be noted that although AmEx is not technically a “financial institution” in the US, it did issue its “Blue” card with a chip for such transactions in Europe.

So will this bring us all the safety and security we want?  What will this change mean for cardholders and retailers?  Those are more complicated answers and the answer really varies from one region/country/bank to the next.  Here’s a few things that Chip/PIN changes do mean.

Liability Shift

If you read the Visa OpRegs you’ll see three different listings for liability shift.  Merchants that accept Chip/PIN transactions are not always liable for fraudulent transactions since the understanding is that they are asking for both a card and the PIN (something allegedly only the cardholder knows.)

These shifts in liability can be either domestic, intra-region or bilateral shifts (according to Visa).  MasterCard says of domestic liability shifts, “A shift in liability to the non-EMV compliant party, fraud liability is born by non-EMV complaint party for all regional transactions.  Bilateral shifts existed previously between the various Visa Regions, “Visa EU and CEMEA signed a bi-lateral agreement in order for the liability shift rule to apply for international transactions between both regions as soon as the CEMEA rule went into effect on January 2006.”

This shift takes the liability off the merchant, but who does it go to?  Well according to the Financial Ombudsman Service (FOS) in the UK that handles consumer complaint disputes, it is the bank that is responsible for the fraud unless customers acted “without reasonable care”. This could include writing down a PIN or allowing someone else to use a card.  What does this really mean?  Well, banks around the world are struggling as consumers claim fraud and the banks claim “without reasonable care.”

Risky Business

In a ComputerWorld article, analyst Avivah Litan, says that “companies such as Visa and MasterCard should consider easing some of their security requirements for U.S. merchants willing to make their payment systems EMV-ready. Visa has reduced the scope of its security audits in cases where organizations have implemented EMV technologies, and the same could be done in the U.S”

Pardon? (Fallacy alert!)

Let’s remember that Chip/PIN only helps reduce fraud at a singular merchant, it does not reduce the instance of payment card data theft.  In fact Chip/PIN transactions can be just as risky as magnetic stripe transactions from a data theft and skimming perspective.  Chip/PIN cards used as a payment terminal may leave “track equivalent data” which cannot be used to recreate the Chip but could be used to re-encode the magnetic strip on the back of traditional cards.  I mentioned this in 2008 and Gartner is still saying the same thing.

Conclusion

The US moving to Chip/PIN is a good thing and something that will drive down card-present fraud.  It may not directly impact payment card data theft and thus will not detract from PCI DSS compliance. I remember teaching a PCI DSS class of QSAs (back then CISP assessors) in the UK back in 2006.  They struggled with the problem that merchants in the UK thought they didn’t need PCI DSS compliance because they already had adopted Chip/PIN, something they already equated with “credit card security”.  I blogged about this from 2006 – 2007 to explain the differences between Chip/PIN and PCI DSS compliance and risks.

Companies that adopt Chip/PIN will still need to comply with the PCI DSS.  That being said, there are some benefits:

• Reduced interchange (in some instances)
• Reduced fraud (as measured in the UK by APACS)
• Liability shift for Chip/PIN transactions

Links

• Visa International OpRegs on Chip/PIN global mandates (2007)
• Visa Regional OpRegs for Canada (2008)
• Visa Smart Debit/Credit Certification Authority Service Description (2008)
• RBSWorldPay talks about liability shifts

Although you may know me more for my musings on traffic theory and becoming immortal, this post focuses on the increasing ease of exchanging money within our daily lives.

In the Beginning

You see, in the beginning was the bank and the bank stored all the gold.  Accessing the gold required going to the bank and withdrawing it for use in the market place.  As new modes of communication evolved the methods of exchanging money became easier and easier.  You now have ATMs replacing banks for dispensing cash, e-commerce replacing brick-and-morter, and PayPal replacing Western Union.  (Ok, so perhaps replaced is a strong term, instead these services supplemented the older forms of exchanging funds.)

Throughout time one thing that held true was the relationship between the merchant and the consumer.  The merchant was typically a company and the consumer an individual.  Common area market places such as eBay helped break down the walls and enabled individuals to sell items to other individuals, but still these required a virtual store front.

New Merchant Class

The term merchant is slowly being democratized in the open market place as individuals accept and exchange digital funds through fluid, simple, and inexpensive methods.  There are a number of factors that influence this new merchant class, so let’s go into a few.

1. Increasing number of Payment Service Providers: The affect of Web 2.0 and social media applications have catalyzed the marketplace for new methods of exchanging money in both a virtual environment (Facebook, Second Life, Zynga) and via emerging payment methods (Spreedly, PayPal PayFlowPro, iPhone applications).  The lines between the individual and the merchant are blurring to the point that exchanging funds can be done more fluidly than ever before.
2. Increasing number of payment integrators: With this increase in the number of payment service providers comes a wave of new businesses that aim to support the new merchant population.  With new merchants come new point of sale third parties who wish to sell them services and support.  More and more service providers are appearing with an ever greater list of services they are offering to the new merchant class.  Each of these new services providers may act as a vector or path through which an attacker can access payment data.
3. Becoming a merchant is easier than ever: In addition to the new methods of accepting payments, merchants can go mobile faster than ever.  Instead of accepting cash only at the local farmers market, the new merchant class will gladly accept major payment cards via their Square or VeriFone PAYware enabled iPhone.  This level of service, once reserved for more established merchants, is now being disseminated into the hands of the masses.
4. Chip and PIN increasing: Chip and PIN or EMV has seen great successes in reducing card present fraud in Europe and Asia.  This technology recently jumped-the-pond and was adopted for implementation in Canada.  It’s only a matter of time before merchants in the US begin to see Chip and PIN technology rolled out to their personal cards and then to their retail locations.
5. Cost cutting is key: Previous approaches to compliance were via the mass adoption of security technology.  These days merchants are more cost conscious and agile in their approach towards compliance and security.  The new merchant class calls for reduced costs through new technology such as point-to-point encryption and “tokenization”.  They are happy to exchange the flexible use of payment data for the security and cost savings of scope reduction.  They are looking for overlapping regulatory controls to kill multiple birds with one stone.  They don’t want point solutions but instead comprehensive approaches towards security.  They want strategy, flexibility, and mobility instead of “solutions”.
6. Training and education needed: In order to achieve these goals: adopt new technology, reduce scope, and leverage internal employees there is a great demand for education and how they can achieve all this.  The need is stronger than ever for an educated merchant class who understand the tradeoffs and can make strategic decisions that balance not just compliance but also business directions.

Future of Electronic Money

Today we see the break down from traditional models and democratization of technology that equips and enables mobile merchants.  Taking this to its natural evolution we will next see the seamless move towards person-to-person transactions where exchanging money is as simple as taping your mobile phone against that of another.

• Want to split the dinner bill five ways? Put all your cell phones back to back and shake them in unison and the bill plus tip is split five ways and paid!
  
• Do you owe your friend $10? Pay them via email!

The barriers of exchanging proverbial gold are dissolving and those that enable this new future will be the ones who survive and rise to the top.

The recent rise in payment-card (credit card) skimming has given rise to a number of press released to notify the general public about the risks and how to prevent becoming a victim.

The PCI SSC released an information supplement titled: Skimming Prevention: Best Practices for Merchants.  In addition Commonwealth Bank released a slideshow on the same topic.

Although this is nothing new, it is on the rise and thus we should be more aware than ever.  If you have a few hours to spare check out the YouTube videos on:

• Credit card skimming
• ATM skimming
• Chip and PIN Skimming