Chaordic Mind

Although you may know me more for my musings on traffic theory and becoming immortal, this post focuses on the increasing ease of exchanging money within our daily lives.

In the Beginning

You see, in the beginning was the bank and the bank stored all the gold.  Accessing the gold required going to the bank and withdrawing it for use in the market place.  As new modes of communication evolved the methods of exchanging money became easier and easier.  You now have ATMs replacing banks for dispensing cash, e-commerce replacing brick-and-morter, and PayPal replacing Western Union.  (Ok, so perhaps replaced is a strong term, instead these services supplemented the older forms of exchanging funds.)

Throughout time one thing that held true was the relationship between the merchant and the consumer.  The merchant was typically a company and the consumer an individual.  Common area market places such as eBay helped break down the walls and enabled individuals to sell items to other individuals, but still these required a virtual store front.

New Merchant Class

The term merchant is slowly being democratized in the open market place as individuals accept and exchange digital funds through fluid, simple, and inexpensive methods.  There are a number of factors that influence this new merchant class, so let’s go into a few.

1. Increasing number of Payment Service Providers: The affect of Web 2.0 and social media applications have catalyzed the marketplace for new methods of exchanging money in both a virtual environment (Facebook, Second Life, Zynga) and via emerging payment methods (Spreedly, PayPal PayFlowPro, iPhone applications).  The lines between the individual and the merchant are blurring to the point that exchanging funds can be done more fluidly than ever before.
2. Increasing number of payment integrators: With this increase in the number of payment service providers comes a wave of new businesses that aim to support the new merchant population.  With new merchants come new point of sale third parties who wish to sell them services and support.  More and more service providers are appearing with an ever greater list of services they are offering to the new merchant class.  Each of these new services providers may act as a vector or path through which an attacker can access payment data.
3. Becoming a merchant is easier than ever: In addition to the new methods of accepting payments, merchants can go mobile faster than ever.  Instead of accepting cash only at the local farmers market, the new merchant class will gladly accept major payment cards via their Square or VeriFone PAYware enabled iPhone.  This level of service, once reserved for more established merchants, is now being disseminated into the hands of the masses.
4. Chip and PIN increasing: Chip and PIN or EMV has seen great successes in reducing card present fraud in Europe and Asia.  This technology recently jumped-the-pond and was adopted for implementation in Canada.  It’s only a matter of time before merchants in the US begin to see Chip and PIN technology rolled out to their personal cards and then to their retail locations.
5. Cost cutting is key: Previous approaches to compliance were via the mass adoption of security technology.  These days merchants are more cost conscious and agile in their approach towards compliance and security.  The new merchant class calls for reduced costs through new technology such as point-to-point encryption and “tokenization”.  They are happy to exchange the flexible use of payment data for the security and cost savings of scope reduction.  They are looking for overlapping regulatory controls to kill multiple birds with one stone.  They don’t want point solutions but instead comprehensive approaches towards security.  They want strategy, flexibility, and mobility instead of “solutions”.
6. Training and education needed: In order to achieve these goals: adopt new technology, reduce scope, and leverage internal employees there is a great demand for education and how they can achieve all this.  The need is stronger than ever for an educated merchant class who understand the tradeoffs and can make strategic decisions that balance not just compliance but also business directions.

Future of Electronic Money

Today we see the break down from traditional models and democratization of technology that equips and enables mobile merchants.  Taking this to its natural evolution we will next see the seamless move towards person-to-person transactions where exchanging money is as simple as taping your mobile phone against that of another.

• Want to split the dinner bill five ways? Put all your cell phones back to back and shake them in unison and the bill plus tip is split five ways and paid!
  
• Do you owe your friend $10? Pay them via email!

The barriers of exchanging proverbial gold are dissolving and those that enable this new future will be the ones who survive and rise to the top.

When a situation is not risky, there is little need to manage or measure the risk involved.  This applies equally to lending money to friends, reading utility meters, and until a few years ago, handling credit card transactions.  With the growing risk to financial transactions there is a need to improve the ways acquiring banks, processors, gateways, and even merchants manage and measure their risk.

In fact, prior to the PCI DSS the metrics involved in measuring the risk in an acquiring bank’s merchant portfolio were rather basic.  You look at the number of transactions per month and categorize the merchants into business categories.  One would say that online gambling would be riskier than grocery stores.  The logic seemed flawless, at least for the environment at the time.

Unfortunately the environment changed and hackers turned from fame and glory seekers to those wanting large financial payoffs from their prowess.  They began attacking merchants and even banks by finding the low-hanging-fruit never imagined by the industry.  The hackers began targeting:

• POS systems directly connected to the Internet with weak remote access methods
• Weak or insecure wireless located at physical stores
• Insecurities in partner and vendor connections to companies
• Insecure web application software

The hackers identified, by brute force, holes in the security of an industry that were never imagined by those creating the metric for managing their risk.  When the compromises reached a tipping point, the industry began to shift the focus to security.  The banks and card brands formed the PCI Security Standards Council (PCI SSC or Council) in 2006 and invited merchants, POS vendors, and other industry experts to participate (as Participating Organizations.)

In order to realize the importance of this change you have to first understand that people do things based on incentives, and for most companies security is not something they are very willing spend money on.  This can be seen in the ever increasing number of data breaches that occur every day.  Anyone who has had teenagers can tell you that in order to “encourage” a person to do the right thing you need to properly incent them.  Regulatory compliance has been the thing that has incented companies to place an importance on information security for the last 10 years, and PCI DSS compliance has been the leading force for the last three years.

This might pass over as just another regulatory issue like GLBA or SOX if not for the fact that it’s not specific to a business vertical.  The payments industry is sometimes called a “horizontal” because it cuts across so many areas such as banking an finance, travel and entertainment, health care, power and energy, etc.  In fact PCI DSS is the first globally enforced, industry regulated, cross-industry compliance program.  It’s goal is simple: prevent the electronic and paper theft of payment card data.

But why?  Don’t you like it when we ask why?  The reason was not to do this because it’s the right thing.  We all like to say we are acting “green” by composting when really it’s just a way of reducing the cost of our garbage bill.  We want to prevent the loss of this data because someone is paying for the fraud: other merchants, acquiring banks, and many more.

So, we begin to understand that acquiring banks use the binary aspect of PCI DSS compliance as a measuring stick to determine the risk within their merchant portfolio.  Sure there are still the number of transactions, type of business, and size of the organization, but now there is the check box of security.  What does this really mean in practical terms?

Well, of all the PCI DSS requirements, the most important by all accounts is 3.2 which mandates that sensitive authentication data should not be retained post-authorization.  The other requirements for security act to protect this data from being intercepted in the first place.  The end result is that hackers should never have any access to this sensitive authentication data.

OK, so the standard exists to protect the super secret data so banks can measure how risky their merchants are to them.  This acts much like the credit rating agencies such as Moody’s and Standard & Poors.  The question is, “Are the current  metrics sufficient for measuring risk in a merchant portfolio?”

I would argue that, much like the credit rating that says “AAA”, the PCI DSS is only one part of the holistic approach merchant banks should take to measuring risk within their portfolio.  Think back to the collateralized debt obligation (CDO) market that just exploded.  People were packaging mortgages together into one security that people could then trade against.  The problem is understanding the impact that all those thousands of mortgages and the people behind them will have on the value of that one security.

In a similar way, banks need to look at PCI DSS as just one factor in analyzing the risk to their portfolio.  I’d argue that to keep the model working one should look to the Verizon Data Breach report and analyze attack vectors to determine what areas should be measured.

If we look at the data breach landscape we see the following numbers:

• 74% resulted from external sources
• 20% were caused by insiders
• 32% implicated business partners
• 39% involved multiple parties

The metrics companies and banks should use for measuring risk should include:

• Third Parties and the data they share (all three types)
• Deployment of a wireless network (proximity to acceptance channels such as POS)
• Number and size of business processes (POS network, databases, applications)
• Connected business units (call center, data warehouse, or physically insecure locations)

Individual merchants need to prioritize attack vectors.  If we know that more hacking events occur due to weak passwords or default passwords we should focus on eliminating things like “<blank>” or “password” or “<vendor name>” rather than focusing on achieving 7 character, alpha-numeric ones (which for the record are no better than 5 character ones in theory.)

I argue that we need more focus on attack vector trending threat models for regulatory compliance before we focus on the broad spectrum of security best practices.