Fallout Continues from Recent Global Payments Breach
The Continuing Impact of the Breach
The recent security breach at Global Payments, as discussed earlier, actively keeps the payments industry on a quest to pinpoint the mistakes of this incident and to strategize on preventing future breaches.
Industry Vulnerabilities Highlighted
In payments industry newsletter The Green Sheet, Mark Bower, Vice President of Voltage Security Inc., said payment processors such like Global Payments have actually been targets for such attacks for years, even if most attempts aren’t always successful. He emphasized that the payments industry must urgently implement a data-centric security strategy to minimize breach risks. Furthermore, he pointed out that the PCI council acknowledges these dangers, making it unsurprising when organizations depending on outdated perimeter security strategies find themselves compromised and in the headlines,” he stated.
The Challenge of Keeping Standards Current
But standards, even those espoused by the PCI (Payment Card Industry) Security Standards Council are always shifting, racing to keep up. The Govinfosecurity.com website noted that in the wake of the breach (which they now think may have started earlier).
Global Payments made a point of linking to a PCI announcement from its own site, trumpeting the fact that “all merchants must be compliant” according PCI’s announcement to merchants, and that “the best way to obtain your compliance is to validate with a qualified secured assessor.”
Merchant Compliance and Assistance
Global Payments recommended two assessors to its clients, and the website’s article highlighted that the PCI’s advice specifically targets Level 4 merchants, who process fewer than 20,000 transactions annually. It encourages them to collaborate with two suggested payment application security vendors for compliance assessment.
The Critical Role of Encryption
Global’s recommended vendors offer various services, including assisting merchants in identifying any unencrypted cardholder data within their systems, a crucial issue that AVP Solutions’ security experts also emphasize.
The sole exception involves data entered by consumers on the SSL-secured checkout page, which they submit to the gateway to complete the purchase. At that point, there’s a risk of data compromise. However, as soon as the authorization response is received, the gateway provider—be it AVPS’s NMI or others like Authorize.Net—instantly encrypts the data.
Similarly, in one of their own white papers, predating the Global Payments breach, PCI observed that “encryption solutions are only as good as the industry-approved algorithms and key management practices used, including security controls surrounding the encryption/decryption keys (“Keys”).
Encryption is important — but as with anything else, don’t leave your “keys” lying around.