The recent security breach reported by Global Payments — as previously discussed here — continues to leave the payments industry searching for clues as to what went wrong this time, and what can be done to prevent a “next time.”
In payments industry newsletter The Green Sheet, Mark Bower, Vice President of Voltage Security Inc., said payment processors such like Global Payments have actually been targets for such attacks for years, even if most attempts aren’t always successful. “If there’s one industry that absolutely needs to adopt a data-centric security strategy to mitigate breach risk, it’s the payments industry,” he said. He then refers to the PCI council, saying the council “recognizes these risks, so it should be no surprise if an organization that relies on older perimeter security strategies is breached and lands on the front pages of newspapers.”
But standards, even those espoused by the PCI (Payment Card Industry) Security Standards Council are always shifting, racing to keep up. The Govinfosecurity.com website noted that in the wake of the breach (which they now think may have started earlier), Global Payments made a point of linking to a PCI announcement from its own site, trumpeting the fact that “all merchants must be compliant” according PCI’s announcement to merchants, and that “the best way to obtain your compliance is to validate with a qualified secured assessor.”
Global Payments then mentioned two such assessors it was recommending to its clients, but the website’s article also noted that “the PCI message is tailored to Level 4 merchants – those processing fewer than 20,000 transactions per year – and it urges them to work with a pair of recommended payment application security vendors to assess compliance.”
The vendors recommended by Global could, among other things, help merchants locate “any stored unencrypted cardholder data that you may have in your system,” which is a critical point also touched by AVP Solutions’ own security experts.
“Merchants should not store cardholder data,” AVPS’ experts say. “This is for customer safety. The only caveat is the data the consumer inputs on the SSL Secured checkout page and submits to the gateway for the purchase completion. In that moment, the data could be compromised. Once the authorization response is received the data is immediately encrypted by the gateway provider, such as AVPS’s NMI or others like Authorize Net, etc.”
Similarly, in one of their own white papers, predating the Global Payments breach, PCI observed that “encryption solutions are only as good as the industry-approved algorithms and key management practices used, including security controls surrounding the encryption/decryption keys (“Keys”). If Keys are left unprotected and accessible, anyone can decrypt the data.”
Encryption is important — but as with anything else, don’t leave your “keys” lying around.